kubeadm join原理
前言《举例》
join:将node加入集群
join的命令
$ kubeadm join xxxxxx:6443 --token a5gkfo.f1p9gsu68rxi14vx --discovery-token-ca-cert-hash sha256:9b826ab9655ae79c6398625b2cd52315d4f07bdae23d9d61604f29551757f328join前检查
discovery-token-ca-cert-hash: 用于Node验证Master身份
- 根据
CA的公钥证书数据来计算出hash值
$ openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -pubkey | openssl rsa -pubin -outform DER 2>/dev/null | sha256sum | cut -d' ' -f1这里的计算结果,跟
join加入的discovery-token-ca-cert-hash后面接的结果是一样的,一致就可以说加入正确
token:用于Master验证Node身份
主要是在
/etc/kubernetes/manifests/kube-apiserver.yaml中的--enable-bootstrap-token-auth=true设置了为true
token格式由两段组成,token-id.token-serect,查看有前缀的secret对象
$ kubectl get secret -n kube-system | grep bootstrap
----------------------
bootstrap-token-a5gkfo bootstrap.kubernetes.io/token 7 11d- 查看
secret对象的具体内容
$ kubectl get secret/bootstrap-token-a5gkfo -n kube-system -o yaml
-----------------------
apiVersion: v1
data:
auth-extra-groups: c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=
description: VGhlIGRlZmF1bHQgYm9vdHN0cmFwIHRva2VuIGdlbmVyYXRlZCBieSAna3ViZWFkbSBpbml0Jy4=
expiration: MjAxOC0xMC0xM1QxMToxOToxOSswODowMA==
token-id: YTVna2Zv
token-secret: ZjFwOWdzdTY4cnhpMTR2eA==
usage-bootstrap-authentication: dHJ1ZQ==
usage-bootstrap-signing: dHJ1ZQ==
kind: Secret
metadata:
creationTimestamp: 2018-10-12T03:19:19Z
name: bootstrap-token-a5gkfo
namespace: kube-system
resourceVersion: "181"
selfLink: /api/v1/namespaces/kube-system/secrets/bootstrap-token-a5gkfo
uid: 9b3d556f-cdcd-11e8-9354-fa163e47331c
type: bootstrap.kubernetes.io/token可以看到
token-secret是一个base64编码的字符串,我们解码
$ echo ZjFwOWdzdTY4cnhpMTR2eA== | base64 -d
---------------------
f1p9gsu68rxi14vxBingo!
ParadigmSDKv3.init('f31e45e6e4a54a2ba32539ef6053b7ad',{ isDisableArticleFetch: true });ParadigmSDKv3.renderArticle('paradigm_render_content_append_id_1038',548,1038);
本文作者为olei,转载请注明。
本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2018-10-23,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录