kubeadm token create

1
2
3
# Bootstrap Token采用的形式 abcdef.0123456789abcdef。它们必须匹配正则表达式 [a-z0-9]{6}\.[a-z0-9]{16}。
kubeadm token create --description kubelet-bootstrap-token --groups system:bootstrappers:${node_name} --kubeconfig ~/.kube/config
kubeadm token list --kubeconfig ~/.kube/config

kubectl apply -f

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: v1
kind: Secret
metadata:
  # Name MUST be of form "bootstrap-token-<token id>"
  name: bootstrap-token-07401b
  namespace: kube-system
# Type MUST be 'bootstrap.kubernetes.io/token'
type: bootstrap.kubernetes.io/token
stringData:
  # Human readable description. Optional.
  description: "The default bootstrap token generated by 'kubeadm init'."
  # Token ID and secret. Required.
  token-id: 07401b
  token-secret: f395accd246ae52d
  # Expiration. Optional.
  expiration: 2017-03-10T03:22:11Z
  # Allowed usages.
  usage-bootstrap-authentication: "true"
  usage-bootstrap-signing: "true"
  # Extra groups to authenticate the token as. Must start with "system:bootstrappers:"
  auth-extra-groups: system:bootstrappers:worker,system:bootstrappers:ingress

kubectl create secret

1
2
# const Token = "abcdef.0123456789abcdef"
head -c 16 /dev/urandom | od -An -t x | tr -d ' '
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
TOKEN_ID=$(openssl rand -hex 3)
TOKEN_SECRET=$(openssl rand -hex 8)
BOOTSTRAP_TOKEN="${TOKEN_ID}.${TOKEN_SECRET}"
kubectl -n kube-system create secret generic bootstrap-token-${TOKEN_ID} \
--type 'bootstrap.kubernetes.io/token' \
--from-literal description="kubelet-bootstrap-token" \
--from-literal token-id=${TOKEN_ID} \
--from-literal token-secret=${TOKEN_SECRET} \
--from-literal usage-bootstrap-authentication=true \
--from-literal usage-bootstrap-signing=true \
--from-literal auth-extra-groups="system:bootstrappers:worker,system:bootstrappers:ingress,system:bootstrappers:${NODE_NAME}"
# 查看
kubectl get secrets/bootstrap-token-${TOKEN_ID} -n kube-system -o yaml
# 生成bootstrap.conf
kubectl --kubeconfig=bootstrap.conf config set-cluster kubernetes --certificate-authority=kubernetes-ca.pem --embed-certs=true --server=https://192.168.33.100:8443
kubectl --kubeconfig=bootstrap.conf config set-credentials kubelet-bootstrap --token=$BOOTSTRAP_TOKEN
kubectl --kubeconfig=bootstrap.conf config set-context default --cluster=kubernetes --user=kubelet-bootstrap
kubectl --kubeconfig=bootstrap.conf config use-context default
1
2
3
4
5
6
###############################
kubectl create clusterrolebinding kubeadm:kubelet-bootstrap --clusterrole system:node-bootstrapper --group system:bootstrappers
###############################
kubectl -n kube-system get sa kube-proxy ||  kubectl -n kube-system create serviceaccount kube-proxy 
kubectl get clusterrolebinding kubeadm:kube-proxy || kubectl create clusterrolebinding kubeadm:kube-proxy --clusterrole system:node-proxier --serviceaccount kube-system:kube-proxy
###############################

参考

  • Kubernetes TLS bootstrapping 那点事
  • TLS bootstrapping
  • TLS BOOTSTRAPPING WITH BOOTSTRAP-TOKEN
  • 创建 Kubernetes 集群:配置 bootstrap
  • Kubernetes - kubelet bootstrap 流程

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    
    5月 26 20:58:46 n55 polkitd[2571]: Unregistered Authentication Agent for unix-process:5458:6750 (system bus name :1.49, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US
    5月 26 20:58:46 n55 sudo[5478]:  vagrant : TTY=pts/0 ; PWD=/opt/k8s ; USER=root ; COMMAND=/bin/systemctl start docker.service
    5月 26 20:58:46 n55 sudo[5478]: pam_unix(sudo:session): session opened for user root by vagrant(uid=0)
    5月 26 20:58:46 n55 polkitd[2571]: Registered Authentication Agent for unix-process:5480:6760 (system bus name :1.51 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop
    5月 26 20:58:46 n55 systemd[1]: Starting Docker Socket for the API.
    -- Subject: Unit docker.socket has begun start-up
    -- Defined-By: systemd
    -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
    --
    -- Unit docker.socket has begun starting up.
    5月 26 20:58:46 n55 systemd[5486]: Failed to chown socket at step GROUP: No such process
    5月 26 20:58:46 n55 systemd[1]: docker.socket control process exited, code=exited status=216
    5月 26 20:58:46 n55 systemd[1]: Failed to listen on Docker Socket for the API.
    -- Subject: Unit docker.socket has failed
    -- Defined-By: systemd
    -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
    --
    -- Unit docker.socket has failed.
    --
    -- The result is failed.
    5月 26 20:58:46 n55 systemd[1]: Dependency failed for Docker Application Container Engine.
    -- Subject: Unit docker.service has failed
    -- Defined-By: systemd
    -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
    --
    -- Unit docker.service has failed.
    --
    -- The result is dependency.
    5月 26 20:58:46 n55 systemd[1]: Job docker.service/start failed with result 'dependency'.
    5月 26 20:58:46 n55 systemd[1]: Unit docker.socket entered failed state.
    5月 26 20:58:46 n55 sudo[5478]: pam_unix(sudo:session): session closed for user root
    5月 26 20:58:46 n55 polkitd[2571]: Unregistered Authentication Agent for unix-process:5480:6760 (system bus name :1.51, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US
    5月 26 20:58:46 n55 bash[3008]: 2019/05/26 20:58:46 [INFO] autopilot: Promoting Server (ID: "bc46826a-de43-fe99-79cf-91cac82e5fa1" Address: "192.168.33.56:8300") to voter
    5月 26 20:58:46 n55 bash[3008]: 2019/05/26 20:58:46 [INFO] raft: Updating configuration with AddStaging (bc46826a-de43-fe99-79cf-91cac82e5fa1, 192.168.33.56:8300) to [{Suffrage:Voter ID:66c5b93
    5月 26 20:58:57 n55 chronyd[2603]: Source 119.28.183.184 replaced with 193.228.143.22
    5月 26 20:59:09 n55 sudo[5488]:  vagrant : TTY=pts/0 ; PWD=/opt/k8s ; USER=root ; COMMAND=/bin/journalctl -xe
    5月 26 20:59:09 n55 sudo[5488]: pam_unix(sudo:session): session opened for user root by vagrant(uid=0)