前言《举例》
join:将node加入集群
join的命令
$ kubeadm join xxxxxx:6443 --token a5gkfo.f1p9gsu68rxi14vx --discovery-token-ca-cert-hash sha256:9b826ab9655ae79c6398625b2cd52315d4f07bdae23d9d61604f29551757f328
join前检查
discovery-token-ca-cert-hash: 用于Node验证Master身份
- 根据
CA的公钥证书数据来计算出hash值
$ openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -pubkey | openssl rsa -pubin -outform DER 2>/dev/null | sha256sum | cut -d' ' -f1
这里的计算结果,跟
join加入的discovery-token-ca-cert-hash后面接的结果是一样的,一致就可以说加入正确
token:用于Master验证Node身份
主要是在
/etc/kubernetes/manifests/kube-apiserver.yaml中的--enable-bootstrap-token-auth=true设置了为true
token格式由两段组成,token-id.token-serect,查看有前缀的secret对象
$ kubectl get secret -n kube-system | grep bootstrap ---------------------- bootstrap-token-a5gkfo bootstrap.kubernetes.io/token 7 11d
- 查看
secret对象的具体内容
$ kubectl get secret/bootstrap-token-a5gkfo -n kube-system -o yaml ----------------------- apiVersion: v1 data: auth-extra-groups: c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4= description: VGhlIGRlZmF1bHQgYm9vdHN0cmFwIHRva2VuIGdlbmVyYXRlZCBieSAna3ViZWFkbSBpbml0Jy4= expiration: MjAxOC0xMC0xM1QxMToxOToxOSswODowMA== token-id: YTVna2Zv token-secret: ZjFwOWdzdTY4cnhpMTR2eA== usage-bootstrap-authentication: dHJ1ZQ== usage-bootstrap-signing: dHJ1ZQ== kind: Secret metadata: creationTimestamp: 2018-10-12T03:19:19Z name: bootstrap-token-a5gkfo namespace: kube-system resourceVersion: "181" selfLink: /api/v1/namespaces/kube-system/secrets/bootstrap-token-a5gkfo uid: 9b3d556f-cdcd-11e8-9354-fa163e47331c type: bootstrap.kubernetes.io/token
可以看到
token-secret是一个base64编码的字符串,我们解码
$ echo ZjFwOWdzdTY4cnhpMTR2eA== | base64 -d --------------------- f1p9gsu68rxi14vx
Bingo!
本文作者为olei,转载请注明。