Image: https://vocon-it.com/2018/12/03/how-to-create-a-kubernetes-cluster-with-kubeadm-kubernetes-series-3/
When we first init a K8S cluster, it will output the join command for us to join work node as shown below.
But the token, by default, is only valid for 24 hours so we need to generate a new one once it expired or if we did not copy it for later use be expiration.
There are two ways to deal with the above situations,
- For either case, generate a new token
- Construct the join command if still within expiration time
Generate new token to join work node
Use command below to generate the join command for work node.
kubeadm token create --print-join-command
Check all tokens.
kubeadm token list
Construct the join command
For either case, it is easier and simpler just to create a new token for join command but it makes no harm to know more about how to construct the command. The join command is structured as below,
kubeadm join <api-server-ip:port> --token <token-value> \
--discovery-token-ca-cert-hash sha256:<hash value>So we need three information,
- Api-server-ip and port, which you can find easily
- Valid token
- Token-ca-cert-hash value
On control plane node, run command below to get api-server-ip and port.
kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' && echo ""
List current or create new token.
Retrive token-ca-cert-hash value on any of the control plane node within the cluster.
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | \
openssl rsa -pubin -outform der 2>/dev/null | \
openssl dgst -sha256 -hex | sed ‘s/^.* //’
Now join these three values as shown below and execute it on K8S bootstrapped work node.
kubeadm join 172.31.43.204:6443 --token dr3gbo.bdwy2p79jqz93r58 \
--discovery-token-ca-cert-hash sha256:cbf5f7c1eead4491214964f841a0e1bf9f9c220987cb68edb8f98e2902b60aac
On control plane node, check if work node is successfully added.
And there you go, you now have a K8S cluster with single control plane and work node!
