kubernetes token过期生成永久过程
<div id="navCategory"><h5 class="catalogue">目录</h5><ul class="first_class_ul"><li><a href="#_label0">查看 token</a></li><li><a href="#_label1">生成 token</a></li><li><a href="#_label2">永久 token</a></li><li><a href="#_label3">更新 token</a></li><li><a href="#_label4">总结</a></li></ul></div><p>写在前面:如有问题,以你为准,</p><p class="maodian"><a name="_label0"></a></p><h2>查看 token</h2>
<div class="jb51code"><pre class="brush:bash;">kubeadm token list 查看过期时间和token,初始化的token是一天时长</pre></div>
<p>详细查看</p>
<div class="jb51code"><pre class="brush:bash;"># 查看token密钥
# kubectl get secrets -n kube-system
NAME TYPE DATA AGE
bootstrap-token-h3j3ns bootstrap.kubernetes.io/token 7 168m
# 其他插件的日志与token密钥
# kubectl get secrets -A
NAMESPACE NAME TYPE DATA AGE
calico-apiserver calico-apiserver-certs Opaque 2 120m
calico-system node-certs Opaque 2 154m
calico-system typha-certs Opaque 2 154m
kube-system bootstrap-token-h3j3ns bootstrap.kubernetes.io/token 7 169m
tigera-operator calico-apiserver-certs Opaque 2 120m
tigera-operator node-certs Opaque 2 154m
tigera-operator tigera-ca-private Opaque 2 154m
tigera-operator typha-certs Opaque 2 154m
</pre></div>
<div class="jb51code"><pre class="brush:bash;"># kubectl get secrets -n kube-system bootstrap-token-h3j3ns -oyaml
apiVersion: v1
data:
auth-extra-groups: c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=
description: VGhlIGRlZmF1bHQgYm9vdHN0cmFwIHRva2VuIGdlbmVyYXRlZCBieSAna3ViZWFkbSBpbml0Jy4=
expiration: MjAyMy0wMi0wM1QxMjoxMToxM1o=
token-id: aDNqM25z
token-secret: bmI5eGwycDV6MW1uYTB4eA==
usage-bootstrap-authentication: dHJ1ZQ==
usage-bootstrap-signing: dHJ1ZQ==
kind: Secret
metadata:
creationTimestamp: "2023-02-02T12:11:13Z"
name: bootstrap-token-h3j3ns
namespace: kube-system
resourceVersion: "209"
uid: 26807d30-dcfd-4034-a658-820f7a0c842f
type: bootstrap.kubernetes.io/token</pre></div>
<p>expiration 字段是其过期时间,base64加密</p>
<div class="jb51code"><pre class="brush:bash;"># echo "MjAyMy0wMi0wM1QxMjoxMToxM1o=" | base64 --decode
2023-02-03T12:11:13Z
# 可以看到是 2023年 2月 3日 12点过期</pre></div>
<p class="maodian"><a name="_label1"></a></p><h2>生成 token</h2>
<div class="jb51code"><pre class="brush:bash;">#删除现有token
# kubectl delete secrets -n kube-system bootstrap-token-h3j3ns
secret "bootstrap-token-h3j3ns" deleted
# 生产 node 节点 token
# kubeadm token create --print-join-command --cri-socket unix:///var/run/cri-dockerd.sock
kubeadm join 192.168.100.53:6443 --token 5h02s0.n7htz6mfdlg8kh40 --discovery-token-ca-cert-hash sha256:7f81fa35fc8f5d8640a167634df99d7f6998c28e996748f16ee86f422641119a
#注意如果是1.20以上版本要加上这个才能使用 --cri-socket unix:///var/run/cri-dockerd.sock</pre></div>
<p>生成 master 的 token</p>
<div class="jb51code"><pre class="brush:bash;"># kubeadm token create --print-join-command
kubeadm join 192.168.100.53:6443 --token 5h02s0.n7htz6mfdlg8kh40 --discovery-token-ca-cert-hash sha256:7f81fa35fc8f5d8640a167634df99d7f6998c28e996748f16ee86f422641119a
# kubeadm init phase upload-certs --upload-certs
Using certificate key:
6d7089e97b8c96ac7ad478173c7928e5becdf1faed85ccd2d4654b8dc514fc32
# 将certificate key,与上面的进行拼接,得出如下
kubeadm join 10.136.17.12:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:2fbacdf6a9473d5da1d98900f73cxxx772b12ac99017d6ae756d8c3cc \
--control-plane --certificate-key f0725584c26c192478d266c4dc5804a1ss5d7b40257837eea0676d1972cca
#注意如果是1.20以上版本要加上这个才能使用 --cri-socket unix:///var/run/cri-dockerd.sock</pre></div>
<p class="maodian"><a name="_label2"></a></p><h2>永久 token</h2>
<div class="jb51code"><pre class="brush:bash;">--ttl 0 参数
# kubeadm token create --print-join-command--ttl 0
kubeadm join 192.168.100.53:6443 --token 7blbsw.pthel6ipumqnwjza --discovery-token-ca-cert-hash sha256:7f81fa35fc8f5d8640a167634df99d7f6998c28e996748f16ee86f422641119a
#注意如果是1.20以上版本并使用docker容器运行时才要加上这个才能使用 --cri-socket unix:///var/run/cri-dockerd.sock
# 查看
# kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
5h02s0.n7htz6mfdlg8kh40 23h 2023-02-03T15:09:24Z authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
7blbsw.pthel6ipumqnwjza <forever> <never> authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
# 删除原先1天时长的token
# kubeadm token delete 5h02s0.n7htz6mfdlg8kh40
bootstrap token "5h02s0" deleted
</pre></div>
<p class="maodian"><a name="_label3"></a></p><h2>更新 token</h2>
<p>就是重新加入node,例子如下面更新node1</p>
<div class="jb51code"><pre class="brush:bash;"># master 删除 node1
# kubectl delete node node1
node "node1" deleted
# 更新 node1 节点执行命令
rm -rf /etc/kubernetes/kubelet.conf
rm -rf /etc/kubernetes/pki/ca.crt
systemctl restart kubelet.service
kubeadm join 192.168.100.53:6443 --token 7blbsw.pthel6ipumqnwjza --discovery-token-ca-cert-hash sha256:7f81fa35fc8f5d8640a167634df99d7f6998c28e996748f16ee86f422641119a --cri-socket unix:///var/run/cri-dockerd.sock</pre></div>
<p class="maodian"><a name="_label4"></a></p><h2>总结</h2>
<p>以上为个人经验,希望能给大家一个参考,也希望大家多多支持琼殿技术社区。</p>
頁:
[1]