当使用 kubectl join 往 Kubernetes 集群添加 worker 节点, 如果遇到以下异常 (比如我们想把 ttg13 节点加入当前只有一个单 master 节点 ttg12 的集群中):
$ sudo kubeadm join ttg12:6443 --token lbe5im.g79f9kxyyxdf2c9s --discovery-token-ca-cert-hash sha256:e4509816d73510fd6e008eba43d11b5807cd3de9f562dacd0dd2582c74eecafc
# === 以下为输出 ===
W0706 18:56:04.310137 21432 join.go:346] [preflight] WARNING: JoinControlPane.controlPlane settings will be ignored when control-plane flag is not set.
[preflight] Running pre-flight checks
[WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/
error execution phase preflight: couldn't validate the identity of the API Server: could not find a JWS signature in the cluster-info ConfigMap for token ID"lbe5im"
To see the stack trace of this error execute with --v=5 or higher这个问题是在 kube-public 下的 configmap 的 cluster-info 中没有 JWS 签名, 本质上是 token 过期.
我们可以通过 kube config 命令查看 cluster-info 的内容:
kubectl get configmap cluster-info --namespace=kube-public -o yaml当然也可以通过 Dashboard 查看 cluster-info (注意下图为正常情况, 异常时没有 jws-kubeconfig-xxxxx 这一行):
那么如何解决呢? 我们 kubectl join 的时候, 需要 2 个参数: token 和 discovery-token-ca-cert-hash. 那么解决方案就是重新生成 token 和 discovery-token-ca-cert-hash.
首先我们通过以下命令生成一个新的 token:
$ kubeadm token create --ttl 0
# === 以下为输出 ===
W0706 19:02:57.015210 11101 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
y5i7zk.77go3qfvy3om7rkw然后再重新生成证书签名摘要 (或者说 hash), 当然这个值(只要证书不变) 是不变的, 跟我们在首次安装 kubeadm init 的时候生成的 hash 是一样的:
$ openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
# === 以下为输出 ===
e4509816d73510fd6e008eba43d11b5807cd3de9f562dacd0dd2582c74eecafc最后我们用上面生成的 token 和 hash 再来 join 一下:
$ sudo kubeadm join ttg12:6443 --token y5i7zk.77go3qfvy3om7rkw --discovery-token-ca-cert-hash sha256:e4509816d73510fd6e008eba43d22b5807cd3de9f562dacd0dd2582c74eecafc
# === 以下为输出 ===
W0706 19:05:40.756837 22879 join.go:346] [preflight] WARNING: JoinControlPane.controlPlane settings will be ignored when control-plane flag is not set.
[preflight] Running pre-flight checks
[WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[kubelet-start] Downloading configuration for the kubelet from the "kubelet-config-1.18" ConfigMap in the kube-system namespace
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...
This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.
Run 'kubectl get nodes' on the control-plane to see this node join the cluster.最后在 master 节点上通过 kubectl get nodes 确认新节点 ttg13 加入成功:
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
ttg12 Ready master 3d3h v1.18.5
ttg13 Ready <none> 20m v1.18.5Bingo!