kubeadm join 说明
master 主机执行 kubeadm init ··· 安装成功后得出下面信息
kubeadm join 192.168.116.103:6443 --token iobdu9.nzpsqo600hfukwk8 \
--discovery-token-ca-cert-hash sha256:61a43240406a53fcbda25158be98cee216aa32bca051f48c480f2c245cd9f154
在master主机操作如何得出 --token 和 discovery-token-ca-cert-hash 信息
--token 和 discovery-token-ca-cert-hash 说明
- --token 用于Master验证Node身份
在/etc/kubernetes/manifests/kube-apiserver.yaml中的–enable-bootstrap-token-auth=true设置了为true
token格式组成:token-id.token-serect
1). 查看有前缀的secret对象(token-id)
kubectl get secret -n kube-system | grep bootstrap
[root@k8smaster ~]# kubectl get secret -n kube-system | grep bootstrap
bootstrap-signer-token-sfdzc kubernetes.io/service-account-token 3 4h10m
bootstrap-token-iobdu9 bootstrap.kubernetes.io/token 7 4h10m
bootstrap-token- 的后缀与 kubeadm join --token 的token-id一致
2). 查看secret对象的具体内容
[root@k8smaster ~]# kubectl get secret/bootstrap-token-iobdu9 -n kube-system -o yaml
apiVersion: v1
data:
auth-extra-groups: c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=
description: VGhlIGRlZmF1bHQgYm9vdHN0cmFwIHRva2VuIGdlbmVyYXRlZCBieSAna3ViZWFkbSBpbml0Jy4=
expiration: MjAyMi0wMS0xOVQwNzo0NTowM1o=
token-id: aW9iZHU5
#用base64 -d解密
token-secret: bnpwc3FvNjAwaGZ1a3drOA==
usage-bootstrap-authentication: dHJ1ZQ==
usage-bootstrap-signing: dHJ1ZQ==
kind: Secret
metadata:
creationTimestamp: "2022-01-18T07:45:03Z"
name: bootstrap-token-iobdu9
namespace: kube-system
resourceVersion: "221"
uid: 80f2fbe6-3ea7-456f-bad8-a1c0586c49c9
type: bootstrap.kubernetes.io/token
[root@k8smaster ~]# echo bnpwc3FvNjAwaGZ1a3drOA== | base64 -d
nzpsqo600hfukwk8
[root@k8smaster ~]#
解码后的内容与kubeadm join --token 的token-serect一致
- --discovery-token-ca-cert-hash : 用于Node验证Master身份
根据CA的公钥证书数据来计算出hash值
openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -pubkey | openssl rsa -pubin -outform DER 2>/dev/null | sha256sum | cut -d' ' -f1
[root@k8smaster ~]# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -pubkey | openssl rsa -pubin -outform DER 2>/dev/null | sha256sum | cut -d' ' -f1
61a43240406a53fcbda25158be98cee216aa32bca051f48c480f2c245cd9f154
这里的计算结果,跟join加入的discovery-token-ca-cert-hash后面接的结果是一样的,一致就可以说加入正确
部署 Kubernets node节点
在master安装成功后获取的下面代码,在node机器执行
kubeadm join 192.168.116.103:6443 --token iobdu9.nzpsqo600hfukwk8 \
--discovery-token-ca-cert-hash sha256:61a43240406a53fcbda25158be98cee216aa32bca051f48c480f2c245cd9f154
执行上面kubeadm join 出错
[root@k8snode ~]# kubeadm join 192.168.116.103:6443 --token iobdu9.nzpsqo600hfukwk8 \
> --discovery-token-ca-cert-hash sha256:61a43240406a53fcbda25158be98cee216aa32bca051f48c480f2c245cd9f154
[preflight] Running pre-flight checks
error execution phase preflight: [preflight] Some fatal errors occurred:
[ERROR FileAvailable--etc-kubernetes-kubelet.conf]: /etc/kubernetes/kubelet.conf already exists
[ERROR FileAvailable--etc-kubernetes-pki-ca.crt]: /etc/kubernetes/pki/ca.crt already exists
[preflight] If you know what you are doing, you can make a check non-fatal with `--ignore-preflight-errors=...`
To see the stack trace of this error execute with --v=5 or higher
在node机执行kubeadm reset
rm -rf /etc/cni/net.d
rm -rf $HOME/.kube/config
rm -rf /etc/cni/net.d
然后重启reboot
再次执行 kubeadm join ···
[root@k8snode ~]# systemctl status kubelet
kubelet.service - kubelet: The Kubernetes Node Agent
Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/kubelet.service.d
└─10-kubeadm.conf
Active: activating (auto-restart) (Result: exit-code) since Tue 2022-01-18 21:28:09 EST; 6s ago
Docs: https://kubernetes.io/docs/
Process: 1667 ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS (code=exited, status=1/FAILURE)
Main PID: 1667 (code=exited, status=1/FAILURE)
Jan 18 21:28:09 k8snode systemd[1]: Unit kubelet.service entered failed state.
Jan 18 21:28:09 k8snode systemd[1]: kubelet.service failed.
编辑 vi /etc/docker/daemon.json
{
"registry-mirrors": ["https://hdi5v8p1.mirror.aliyuncs.com/"],
"exec-opts": ["native.cgroupdriver=systemd"]
}
保存退出,重启docker
[root@k8snode ~]# systemctl daemon-reload
[root@k8snode ~]# systemctl restart docker
[root@k8snode ~]# systemctl status docker
查看Docker状态
[root@k8snode ~]# systemctl status docker
docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-01-18 21:48:45 EST; 6s ago
Docs: https://docs.docker.com
Main PID: 5514 (dockerd)
Tasks: 9
Memory: 36.6M
CGroup: /system.slice/docker.service
└─5514 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
查看Kubelet状态
[root@k8snode ~]# systemctl status kubelet
kubelet.service - kubelet: The Kubernetes Node Agent
Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/kubelet.service.d
└─10-kubeadm.conf
Active: active (running) since Tue 2022-01-18 21:49:04 EST; 5s ago
Docs: https://kubernetes.io/docs/
Main PID: 5660 (kubelet)
Tasks: 9
Memory: 19.7M
CGroup: /system.slice/kubelet.service
└─5660 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kub...
Jan 18 21:49:04 k8snode systemd[1]: Started kubelet: The Kubernetes Node Agent.
Jan 18 21:49:04 k8snode kubelet[5660]: Flag --network-plugin has been deprecated, will be removed along with dockershim.
Jan 18 21:49:04 k8snode kubelet[5660]: Flag --network-plugin has been deprecated, will be removed along with dockershim.
Jan 18 21:49:04 k8snode kubelet[5660]: I0118 21:49:04.166703 5660 server.go:446] "Kubelet version" kubeletVer....23.1"
Jan 18 21:49:04 k8snode kubelet[5660]: I0118 21:49:04.167057 5660 server.go:874] "Client rotation is on, will...round"
Jan 18 21:49:04 k8snode kubelet[5660]: I0118 21:49:04.168637 5660 certificate_store.go:130] Loading cert/key ....pem".
Jan 18 21:49:04 k8snode kubelet[5660]: I0118 21:49:04.170052 5660 dynamic_cafile_content.go:156] "Starting co...a.crt"
Hint: Some lines were ellipsized, use -l to show in full.
kubeadm join 192.168.116.103:6443 --token iobdu9.nzpsqo600hfukwk8 \
--discovery-token-ca-cert-hash sha256:61a43240406a53fcbda25158be98cee216aa32bca051f48c480f2c245cd9f154
如果再出错执行
kubeadm reset
reboot
执行下面代码的结果表示已经成功
[root@k8snode ~]# kubeadm join 192.168.116.103:6443 --token iobdu9.nzpsqo600hfukwk8 --discovery-token-ca-cert-hash sha256:61a43240406a53fcbda25158be98cee216aa32bca051f48c480f2c245cd9f154
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...
This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.
Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
查看出错日志
journalctl -xefu kubelet
查看Master是否成功kubectl get nodes
[root@k8smaster ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8smaster Ready control-plane,master 41h v1.23.1
k8snode Ready <none> 21h v1.23.1
kubernetes安装成功
出错
[root@k8snode ~]# kubectl get nodes
The connection to the server localhost:8080 was refused - did you specify the right host or port?
解决 https://blog.csdn.net/tearofthemyth/article/details/113146166
[root@k8snode ~]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-6d8c4cb4d-7vdfk 1/1 Running 2 (14m ago) 42h
coredns-6d8c4cb4d-gmpv6 1/1 Running 2 (14m ago) 42h
etcd-k8smaster 1/1 Running 4 (14m ago) 42h
kube-apiserver-k8smaster 1/1 Running 4 (14m ago) 42h
kube-controller-manager-k8smaster 1/1 Running 4 (14m ago) 42h
kube-flannel-ds-4nbck 1/1 Running 2 (14m ago) 42h
kube-flannel-ds-gtgrw 1/1 Running 0 22h
kube-proxy-9kw6b 1/1 Running 2 (14m ago) 42h
kube-proxy-gx5h8 1/1 Running 0 22h
kube-scheduler-k8smaster 1/1 Running 4 (14m ago) 42h
网友评论