join
:将node
加入集群
join
的命令
$ kubeadm join xxxxxx:6443 --token a5gkfo.f1p9gsu68rxi14vx --discovery-token-ca-cert-hash sha256:9b826ab9655ae79c6398625b2cd52315d4f07bdae23d9d61604f29551757f328
join
前检查discovery-token-ca-cert-hash
: 用于Node
验证Master
身份CA
的公钥证书数据来计算出hash
值$ openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -pubkey | openssl rsa -pubin -outform DER 2>/dev/null | sha256sum | cut -d' ' -f1
这里的计算结果,跟
join
加入的discovery-token-ca-cert-hash
后面接的结果是一样的,一致就可以说加入正确
token
:用于Master
验证Node
身份主要是在
/etc/kubernetes/manifests/kube-apiserver.yaml
中的--enable-bootstrap-token-auth=true
设置了为true
token
格式由两段组成,token-id
.token-serect
,查看有前缀的secret
对象$ kubectl get secret -n kube-system | grep bootstrap
----------------------
bootstrap-token-a5gkfo bootstrap.kubernetes.io/token 7 11d
secret
对象的具体内容$ kubectl get secret/bootstrap-token-a5gkfo -n kube-system -o yaml
-----------------------
apiVersion: v1
data:
auth-extra-groups: c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=
description: VGhlIGRlZmF1bHQgYm9vdHN0cmFwIHRva2VuIGdlbmVyYXRlZCBieSAna3ViZWFkbSBpbml0Jy4=
expiration: MjAxOC0xMC0xM1QxMToxOToxOSswODowMA==
token-id: YTVna2Zv
token-secret: ZjFwOWdzdTY4cnhpMTR2eA==
usage-bootstrap-authentication: dHJ1ZQ==
usage-bootstrap-signing: dHJ1ZQ==
kind: Secret
metadata:
creationTimestamp: 2018-10-12T03:19:19Z
name: bootstrap-token-a5gkfo
namespace: kube-system
resourceVersion: "181"
selfLink: /api/v1/namespaces/kube-system/secrets/bootstrap-token-a5gkfo
uid: 9b3d556f-cdcd-11e8-9354-fa163e47331c
type: bootstrap.kubernetes.io/token
可以看到
token-secret
是一个base64
编码的字符串,我们解码
$ echo ZjFwOWdzdTY4cnhpMTR2eA== | base64 -d
---------------------
f1p9gsu68rxi14vx
ParadigmSDKv3.init('f31e45e6e4a54a2ba32539ef6053b7ad',{ isDisableArticleFetch: true });ParadigmSDKv3.renderArticle('paradigm_render_content_append_id_1038',548,1038);
本文作者为olei,转载请注明。