kubeadm token create

1
2
3
# Bootstrap Token采用的形式 abcdef.0123456789abcdef。它们必须匹配正则表达式 [a-z0-9]{6}\.[a-z0-9]{16}。
kubeadm token create --description kubelet-bootstrap-token --groups system:bootstrappers:${node_name} --kubeconfig ~/.kube/config
kubeadm token list --kubeconfig ~/.kube/config

kubectl apply -f

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: v1
kind: Secret
metadata:
  # Name MUST be of form "bootstrap-token-<token id>"
  name: bootstrap-token-07401b
  namespace: kube-system
# Type MUST be 'bootstrap.kubernetes.io/token'
type: bootstrap.kubernetes.io/token
stringData:
  # Human readable description. Optional.
  description: "The default bootstrap token generated by 'kubeadm init'."
  # Token ID and secret. Required.
  token-id: 07401b
  token-secret: f395accd246ae52d
  # Expiration. Optional.
  expiration: 2017-03-10T03:22:11Z
  # Allowed usages.
  usage-bootstrap-authentication: "true"
  usage-bootstrap-signing: "true"
  # Extra groups to authenticate the token as. Must start with "system:bootstrappers:"
  auth-extra-groups: system:bootstrappers:worker,system:bootstrappers:ingress

kubectl create secret

1
2
# const Token = "abcdef.0123456789abcdef"
head -c 16 /dev/urandom | od -An -t x | tr -d ' '
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
TOKEN_ID=$(openssl rand -hex 3)
TOKEN_SECRET=$(openssl rand -hex 8)
BOOTSTRAP_TOKEN="${TOKEN_ID}.${TOKEN_SECRET}"
kubectl -n kube-system create secret generic bootstrap-token-${TOKEN_ID} \
--type 'bootstrap.kubernetes.io/token' \
--from-literal description="kubelet-bootstrap-token" \
--from-literal token-id=${TOKEN_ID} \
--from-literal token-secret=${TOKEN_SECRET} \
--from-literal usage-bootstrap-authentication=true \
--from-literal usage-bootstrap-signing=true \
--from-literal auth-extra-groups="system:bootstrappers:worker,system:bootstrappers:ingress,system:bootstrappers:${NODE_NAME}"
# 查看
kubectl get secrets/bootstrap-token-${TOKEN_ID} -n kube-system -o yaml
# 生成bootstrap.conf
kubectl --kubeconfig=bootstrap.conf config set-cluster kubernetes --certificate-authority=kubernetes-ca.pem --embed-certs=true --server=https://192.168.33.100:8443
kubectl --kubeconfig=bootstrap.conf config set-credentials kubelet-bootstrap --token=$BOOTSTRAP_TOKEN
kubectl --kubeconfig=bootstrap.conf config set-context default --cluster=kubernetes --user=kubelet-bootstrap
kubectl --kubeconfig=bootstrap.conf config use-context default
1
2
3
4
5
6
###############################
kubectl create clusterrolebinding kubeadm:kubelet-bootstrap --clusterrole system:node-bootstrapper --group system:bootstrappers
###############################
kubectl -n kube-system get sa kube-proxy ||  kubectl -n kube-system create serviceaccount kube-proxy 
kubectl get clusterrolebinding kubeadm:kube-proxy || kubectl create clusterrolebinding kubeadm:kube-proxy --clusterrole system:node-proxier --serviceaccount kube-system:kube-proxy
###############################

参考

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
5月 26 20:58:46 n55 polkitd[2571]: Unregistered Authentication Agent for unix-process:5458:6750 (system bus name :1.49, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US
5月 26 20:58:46 n55 sudo[5478]:  vagrant : TTY=pts/0 ; PWD=/opt/k8s ; USER=root ; COMMAND=/bin/systemctl start docker.service
5月 26 20:58:46 n55 sudo[5478]: pam_unix(sudo:session): session opened for user root by vagrant(uid=0)
5月 26 20:58:46 n55 polkitd[2571]: Registered Authentication Agent for unix-process:5480:6760 (system bus name :1.51 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop
5月 26 20:58:46 n55 systemd[1]: Starting Docker Socket for the API.
-- Subject: Unit docker.socket has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit docker.socket has begun starting up.
5月 26 20:58:46 n55 systemd[5486]: Failed to chown socket at step GROUP: No such process
5月 26 20:58:46 n55 systemd[1]: docker.socket control process exited, code=exited status=216
5月 26 20:58:46 n55 systemd[1]: Failed to listen on Docker Socket for the API.
-- Subject: Unit docker.socket has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit docker.socket has failed.
--
-- The result is failed.
5月 26 20:58:46 n55 systemd[1]: Dependency failed for Docker Application Container Engine.
-- Subject: Unit docker.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit docker.service has failed.
--
-- The result is dependency.
5月 26 20:58:46 n55 systemd[1]: Job docker.service/start failed with result 'dependency'.
5月 26 20:58:46 n55 systemd[1]: Unit docker.socket entered failed state.
5月 26 20:58:46 n55 sudo[5478]: pam_unix(sudo:session): session closed for user root
5月 26 20:58:46 n55 polkitd[2571]: Unregistered Authentication Agent for unix-process:5480:6760 (system bus name :1.51, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US
5月 26 20:58:46 n55 bash[3008]: 2019/05/26 20:58:46 [INFO] autopilot: Promoting Server (ID: "bc46826a-de43-fe99-79cf-91cac82e5fa1" Address: "192.168.33.56:8300") to voter
5月 26 20:58:46 n55 bash[3008]: 2019/05/26 20:58:46 [INFO] raft: Updating configuration with AddStaging (bc46826a-de43-fe99-79cf-91cac82e5fa1, 192.168.33.56:8300) to [{Suffrage:Voter ID:66c5b93
5月 26 20:58:57 n55 chronyd[2603]: Source 119.28.183.184 replaced with 193.228.143.22
5月 26 20:59:09 n55 sudo[5488]:  vagrant : TTY=pts/0 ; PWD=/opt/k8s ; USER=root ; COMMAND=/bin/journalctl -xe
5月 26 20:59:09 n55 sudo[5488]: pam_unix(sudo:session): session opened for user root by vagrant(uid=0)