K
Q

Join cluster after init token expired?

11/5/2017

I created a Kubernetes cluster a few days ago with 1 Master and 1 worker Node. Now I want to add another node to the cluster, but the token printed by the original "kubeadm init" on the master has expired (by default after 24 hours).

The "kubeadm join" command have a "--discovery-file". It takes a config file and I have tried with the format I found here:

https://github.com/kubernetes/kubeadm/blob/master/docs/design/design_v1.8.md

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <really long certificate data>
    server: https://10.138.0.2:6443
  name: ""
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []

I copied the corresponding data from my working kubectl config file and created a local file "a.config".

But, when I try the command "sudo kubeadm join --discovery-file a.conf" it fails with the following error messages:

[discovery: Invalid value: "": token [""] was not of form ["^([a-z0-9]{6})\\.([a-z0-9]{16})
quot;], discovery: Invalid value: "": token must be of form '[a-z0-9]{6}.[a-z0-9]{16}']

What am I missing here?

What is a procedure know to work in my situation? I prefer not to tear down the cluster and re-join it again.

-- OlavT
kubernetes

Similar Questions

Unable to upload a 1GB+ file from python storage google client
How to configure polipo's HTTP proxy for docker to deploy Kubernetes
How to reuse an existing persistent volume claims
kubernetes logging / get multiple source write to the main log entrypoint

3 Answers

1/16/2019

Thanks for @silverfox's answer, but it's still a little painful for typing these commands manaually, so I build the following command to help me do this much quickly.

This command will create a token and generate the joining command:

echo sudo kubeadm join $(kubeadm config view | grep ^controlPlaneEndpoint | awk '{print $2}') --token $(kubeadm token create) --discovery-token-ca-cert-hash sha256:$(openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //')
-- Gea-Suan Lin
Source: StackOverflow
11/5/2017

Create a new bootstrap token and join

Use kubeadm token create to create a new bootstrap token, See kubeadm: Managing Tokens.

# login to master node
# create a new bootstrap token
$ kubeadm token create
abcdef.1234567890abcdef

# get root ca cert fingerprint
$ openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
e18105ef24bacebb23d694dad491e8ef1c2ea9ade944e784b1f03a15a0d5ecea 

# login to the new worker node
# join to cluster 
$ kubeadm join --token abcdef.1234567890abcdef --discovery-token-ca-cert-hash sha256:e18105ef24bacebb23d694dad491e8ef1c2ea9ade944e784b1f03a15a0d5ecea 1.2.3.4:6443

Note: --discovery-token-ca-cert-hash is preferred in Kubernetes 1.8 and above.

(Alternative) Use discovery file to establish trust

--discovery-file provides an out-of-band way to establish a root of trust between the master and bootstrapping nodes.

Consider using this mode if you are building automated provisioning using kubeadm.

The discovery file does not provide a valid token, so we still need kubeadm token create to create a new one.

kubeadm join --token abcdef.1234567890abcdef --discovery-file a.conf
-- silverfox
Source: StackOverflow
1/24/2019

The easiest way i know to join new nodes to existing cluster is

kubeadm token create --print-join-command

this will give output like this.

kubeadm join 192.168.10.15:6443 --token l946pz.6fv0XXXXX8zry --discovery-token-ca-cert-hash sha256:e1e6XXXXXXXXXXXX9ff2aa46bf003419e8b508686af8597XXXXXXXXXXXXXXXXXXX
-- Mansur Ali
Source: StackOverflow