kubeadm token create

1
2
3
# Bootstrap Token采用的形式 abcdef.0123456789abcdef。它们必须匹配正则表达式 [a-z0-9]{6}\.[a-z0-9]{16}。
kubeadm token create --description kubelet-bootstrap-token --groups system:bootstrappers:${node_name} --kubeconfig ~/.kube/config
kubeadm token list --kubeconfig ~/.kube/config

kubectl apply -f

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: v1
kind: Secret
metadata:
  # Name MUST be of form "bootstrap-token-<token id>"
  name: bootstrap-token-07401b
  namespace: kube-system
# Type MUST be 'bootstrap.kubernetes.io/token'
type: bootstrap.kubernetes.io/token
stringData:
  # Human readable description. Optional.
  description: "The default bootstrap token generated by 'kubeadm init'."
  # Token ID and secret. Required.
  token-id: 07401b
  token-secret: f395accd246ae52d
  # Expiration. Optional.
  expiration: 2017-03-10T03:22:11Z
  # Allowed usages.
  usage-bootstrap-authentication: "true"
  usage-bootstrap-signing: "true"
  # Extra groups to authenticate the token as. Must start with "system:bootstrappers:"
  auth-extra-groups: system:bootstrappers:worker,system:bootstrappers:ingress

kubectl create secret

1
2
# const Token = "abcdef.0123456789abcdef"
head -c 16 /dev/urandom | od -An -t x | tr -d ' '
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
TOKEN_ID=$(openssl rand -hex 3)
TOKEN_SECRET=$(openssl rand -hex 8)
BOOTSTRAP_TOKEN="${TOKEN_ID}.${TOKEN_SECRET}"
kubectl -n kube-system create secret generic bootstrap-token-${TOKEN_ID} \
--type 'bootstrap.kubernetes.io/token' \
--from-literal description="kubelet-bootstrap-token" \
--from-literal token-id=${TOKEN_ID} \
--from-literal token-secret=${TOKEN_SECRET} \
--from-literal usage-bootstrap-authentication=true \
--from-literal usage-bootstrap-signing=true \
--from-literal auth-extra-groups="system:bootstrappers:worker,system:bootstrappers:ingress,system:bootstrappers:${NODE_NAME}"
# 查看
kubectl get secrets/bootstrap-token-${TOKEN_ID} -n kube-system -o yaml
# 生成bootstrap.conf
kubectl --kubeconfig=bootstrap.conf config set-cluster kubernetes --certificate-authority=kubernetes-ca.pem --embed-certs=true --server=https://192.168.33.100:8443
kubectl --kubeconfig=bootstrap.conf config set-credentials kubelet-bootstrap --token=$BOOTSTRAP_TOKEN
kubectl --kubeconfig=bootstrap.conf config set-context default --cluster=kubernetes --user=kubelet-bootstrap
kubectl --kubeconfig=bootstrap.conf config use-context default
1
2
3
4
5
6
###############################
kubectl create clusterrolebinding kubeadm:kubelet-bootstrap --clusterrole system:node-bootstrapper --group system:bootstrappers
###############################
kubectl -n kube-system get sa kube-proxy ||  kubectl -n kube-system create serviceaccount kube-proxy 
kubectl get clusterrolebinding kubeadm:kube-proxy || kubectl create clusterrolebinding kubeadm:kube-proxy --clusterrole system:node-proxier --serviceaccount kube-system:kube-proxy
###############################

参考