1. 技术文章
  2. kubeadm init --token=xyz or kubeadm init --token xyz?

kubeadm init --token=xyz or kubeadm init --token xyz?

折月煮酒 提交于 2019-12-11 14:41:46

问题


Question

Which format of kubeadm init --token is correct?

(2/4) Initializing your master shows "--token xyz".

kubeadm join --token <token> <master-ip>:<master-port> --discovery-token-ca-cert-hash sha256:<hash>

kubeadm init shows "--token=xyz".

kubeadm join --token=abcdef.1234567890abcdef --discovery-token-ca-cert-hash sha256:1234..cdef 192.168.1.1:6443

The execution log (using Ansible) showed several error message. Wonder if this is related with the format.

changed: [192.168.99.12] => {...
  "[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.",
  "[preflight] Running pre-flight checks",
  "[preflight] Starting the kubelet service",
  "[discovery] Trying to connect to API Server \"192.168.99.10:6443\"",
  "[discovery] Created cluster-info discovery client, requesting info from \"https://192.168.99.10:6443\"",
  "[discovery] Failed to connect to API Server \"192.168.99.10:6443\": there is no JWS signed token in the cluster-info ConfigMap. This token id \"7ae0ed\" is invalid for this cluster, can't connect",
  "[discovery] Trying to connect to API Server \"192.168.99.10:6443\"",
  "[discovery] Created cluster-info discovery client, requesting info from \"https://192.168.99.10:6443\"",
  "[discovery] Failed to connect to API Server \"192.168.99.10:6443\": there is no JWS signed token in the cluster-info ConfigMap. This token id \"7ae0ed\" is invalid for this cluster, can't connect",
  "[discovery] Trying to connect to API Server \"192.168.99.10:6443\"",
  "[discovery] Created cluster-info discovery client, requesting info from \"https://192.168.99.10:6443\"",
  "[discovery] Requesting info from \"https://192.168.99.10:6443\" again to validate TLS against the pinned public key",
  "[discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server \"192.168.99.10:6443\"",
  "[discovery] Successfully established connection with API Server \"192.168.99.10:6443\"",
  "[bootstrap] Detected server version: v1.8.5",
  "[bootstrap] The server supports the Certificates API (certificates.k8s.io/v1beta1)",
  "",
  "Node join complete:",
  "* Certificate signing request sent to master and response",
  "  received.",
  "* Kubelet informed of new secure connection details.",
  "",
  "Run 'kubectl get nodes' on the master to see this machine join."

回答1:


kubeadm uses spf13/pflag, where both notations are correct.

From the docs:

--flag    // boolean flags, or flags with no option default values
--flag x  // only on flags without a default value
--flag=x



回答2:


As far as I know, format does not matter. It's in their output which is recommended

You can now join any number of machines by running the following on each node as root:

kubeadm join --token <token> <master-ip>:<master-port> --discovery-token-ca-cert-hash sha256:<hash>

I think Token is used for security (ssl or tls) purpose so Master Node and Worker Node can communicate using encryption. It's part of TLS Handshake.

As Kubelet in worker node needs its own token to communicate with the kube-api server on the master node.



来源:https://stackoverflow.com/questions/47770486/kubeadm-init-token-xyz-or-kubeadm-init-token-xyz

标签
Kubernetes
kubeadm
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!