乐趣区

解决k8s执行kubeadm-join遇到could-not-find-a-JWS-signature的问题

当使用 kubectl join 往 Kubernetes 集群添加 worker 节点, 如果遇到以下异常 (比如我们想把 ttg13 节点加入当前只有一个单 master 节点 ttg12 的集群中):

$ sudo kubeadm join ttg12:6443 --token lbe5im.g79f9kxyyxdf2c9s     --discovery-token-ca-cert-hash sha256:e4509816d73510fd6e008eba43d11b5807cd3de9f562dacd0dd2582c74eecafc
# === 以下为输出 ===
W0706 18:56:04.310137   21432 join.go:346] [preflight] WARNING: JoinControlPane.controlPlane settings will be ignored when control-plane flag is not set.
[preflight] Running pre-flight checks
    [WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/
error execution phase preflight: couldn't validate the identity of the API Server: could not find a JWS signature in the cluster-info ConfigMap for token ID"lbe5im"
To see the stack trace of this error execute with --v=5 or higher

这个问题是在 kube-public 下的 configmapcluster-info 中没有 JWS 签名, 本质上是 token 过期.

我们可以通过 kube config 命令查看 cluster-info 的内容:

kubectl get configmap cluster-info --namespace=kube-public -o yaml

当然也可以通过 Dashboard 查看 cluster-info (注意下图为正常情况, 异常时没有 jws-kubeconfig-xxxxx 这一行):

那么如何解决呢? 我们 kubectl join 的时候, 需要 2 个参数: tokendiscovery-token-ca-cert-hash. 那么解决方案就是重新生成 tokendiscovery-token-ca-cert-hash.

首先我们通过以下命令生成一个新的 token:

$ kubeadm token create --ttl 0
# === 以下为输出 ===
W0706 19:02:57.015210   11101 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
y5i7zk.77go3qfvy3om7rkw

然后再重新生成证书签名摘要 (或者说 hash), 当然这个值(只要证书不变) 是不变的, 跟我们在首次安装 kubeadm init 的时候生成的 hash 是一样的:

$ openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
# === 以下为输出 ===
e4509816d73510fd6e008eba43d11b5807cd3de9f562dacd0dd2582c74eecafc

最后我们用上面生成的 token 和 hash 再来 join 一下:

$ sudo kubeadm join ttg12:6443 --token y5i7zk.77go3qfvy3om7rkw     --discovery-token-ca-cert-hash sha256:e4509816d73510fd6e008eba43d22b5807cd3de9f562dacd0dd2582c74eecafc
# === 以下为输出 ===
W0706 19:05:40.756837   22879 join.go:346] [preflight] WARNING: JoinControlPane.controlPlane settings will be ignored when control-plane flag is not set.
[preflight] Running pre-flight checks
    [WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[kubelet-start] Downloading configuration for the kubelet from the "kubelet-config-1.18" ConfigMap in the kube-system namespace
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...

This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the control-plane to see this node join the cluster.

最后在 master 节点上通过 kubectl get nodes 确认新节点 ttg13 加入成功:

$ kubectl get nodes
NAME    STATUS   ROLES    AGE    VERSION
ttg12   Ready    master   3d3h   v1.18.5
ttg13   Ready    <none>   20m    v1.18.5

Bingo!

退出移动版