kubeadm join原理

olei 2,263 views 0

前言《举例》

  • join:将node加入集群

join的命令

$  kubeadm join xxxxxx:6443 --token a5gkfo.f1p9gsu68rxi14vx --discovery-token-ca-cert-hash sha256:9b826ab9655ae79c6398625b2cd52315d4f07bdae23d9d61604f29551757f328

join前检查

  • discovery-token-ca-cert-hash : 用于Node验证Master身份
  • 根据CA的公钥证书数据来计算出hash
$ openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -pubkey | openssl rsa -pubin -outform DER 2>/dev/null | sha256sum | cut -d' ' -f1

这里的计算结果,跟join加入的discovery-token-ca-cert-hash后面接的结果是一样的,一致就可以说加入正确

  • token:用于Master验证Node身份

主要是在/etc/kubernetes/manifests/kube-apiserver.yaml中的--enable-bootstrap-token-auth=true设置了为true

  • token格式由两段组成,token-id.token-serect,查看有前缀的secret对象
$ kubectl get secret -n kube-system | grep bootstrap
----------------------
bootstrap-token-a5gkfo                           bootstrap.kubernetes.io/token         7         11d
  • 查看secret对象的具体内容
$ kubectl get secret/bootstrap-token-a5gkfo -n kube-system -o yaml
-----------------------
apiVersion: v1
data:
  auth-extra-groups: c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=
  description: VGhlIGRlZmF1bHQgYm9vdHN0cmFwIHRva2VuIGdlbmVyYXRlZCBieSAna3ViZWFkbSBpbml0Jy4=
  expiration: MjAxOC0xMC0xM1QxMToxOToxOSswODowMA==
  token-id: YTVna2Zv
  token-secret: ZjFwOWdzdTY4cnhpMTR2eA==
  usage-bootstrap-authentication: dHJ1ZQ==
  usage-bootstrap-signing: dHJ1ZQ==
kind: Secret
metadata:
  creationTimestamp: 2018-10-12T03:19:19Z
  name: bootstrap-token-a5gkfo
  namespace: kube-system
  resourceVersion: "181"
  selfLink: /api/v1/namespaces/kube-system/secrets/bootstrap-token-a5gkfo
  uid: 9b3d556f-cdcd-11e8-9354-fa163e47331c
type: bootstrap.kubernetes.io/token

可以看到token-secret是一个base64编码的字符串,我们解码

$ echo ZjFwOWdzdTY4cnhpMTR2eA== | base64 -d
---------------------
f1p9gsu68rxi14vx

Bingo!

发表评论 取消回复
表情 图片 链接 代码

分享