二进制方式下为K8S添加节点（使用启动引导令牌（Bootstrap Tokens）认证）

作者：李毓

操作环境：
其中master,node1,node2节点是已经存在的，现在我们要添加node3节点
角色 IP
Master 192.168.31.61
Node1 192.168.31.62
Node2 192.168.31.63

Node3 192.168.31.64

先初始化node3节点，如何初始化已经在上一篇有提到，在此不赘述。

1.准备新节点环境：拷贝已经部署好的node相关文件到新节点node3

scp -r /opt/kubernetes/ [email protected]:/opt/
scp -r /usr/lib/systemd/system/{kubelet,kube-proxy}.service [email protected]:/usr/lib/systemd/system
scp -r /opt/cni/ [email protected]:/opt

删除kubelet证书和kubeconfig文件

cd /opt/kubernetes/ssl/
rm kubelet* -f
cd  /opt/kubernetes/cfg/
rm kubelet.kubeconfig bootstrap.kubeconfig -f

注意：这几个文件是证书申请审批后自动生成的，每个Node不同，必须删除重新生成。

2、确认启用Bootstrap Token

如果没有开启需要添加进去，并且重启apiserver
systemctl restart kube-apiverver

3、使用Secret存储Bootstrap Token

vim bootstrap-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  # Name MUST be of form "bootstrap-token-"
  name: bootstrap-token-07401b
  namespace: kube-system

# Type MUST be 'bootstrap.kubernetes.io/token'
type: bootstrap.kubernetes.io/token
stringData:
  # Human readable description. Optional.
  description: "The default bootstrap token generated by 'kubeadm init'."

  # Token ID and secret. Required.
  token-id: 07401b
  token-secret: f395accd246ae52d

  # Expiration. Optional.
  expiration: 2027-03-10T03:22:11Z

  # Allowed usages.
  usage-bootstrap-authentication: "true"
  usage-bootstrap-signing: "true"

  # Extra groups to authenticate the token as. Must start with "system:bootstrappers:"
  auth-extra-groups: system:bootstrappers:worker,system:bootstrappers:ingress

    kubectl apply -f bootstrap-secret.yaml

注：expiration 为token过期时间，当前时间向后推几天随意。

4、创建RBAC角色绑定，允许 kubelet tls bootstrap 创建 CSR 请求

vim rbac.yaml

# enable bootstrapping nodes to create CSR
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: create-csrs-for-bootstrapping
subjects:
- kind: Group
  name: system:bootstrappers
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: system:node-bootstrapper
  apiGroup: rbac.authorization.k8s.io

kubectl apply -f rbac.yaml

5、kubelet配置Bootstrap kubeconfig文件

这个配置文件可以直接从node1拷贝过去

scp bootstrap.kubeconfig [email protected]:/opt/kubernetes/cfg/

[root@k8s-node1 cfg]# cat /opt/kubernetes/cfg/bootstrap.kubeconfig 

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /opt/kubernetes/ssl/ca.pem
    server: https://192.168.0.61:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubelet-bootstrap
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: kubelet-bootstrap
  user:
    token: c47ffb939f5ca36231d9e3121a252940

6.配置文件指定kubeconfig文件

在node3启动并设置开机启动

systemctl daemon-reload
systemctl start kubelet
systemctl enable kubelet

7.在master节点颁发证书

[root@k8s-master ~]# kubectl get csr
NAME                                                   AGE   SIGNERNAME                                    REQUESTOR           CONDITION
node-csr-bwIRDjbTQuLTI3MmtGZIw5Gz2bFYeQIXynq-kSlFuyQ   86s   kubernetes.io/kube-apiserver-client-kubelet   kubelet-bootstrap   Pending

然后再加入node3节点

[root@k8s-master ~]# kubectl certificate approve node-csr-bwIRDjbTQuLTI3MmtGZIw5Gz2bFYeQIXynq-kSlFuyQ
certificatesigningrequest.certificates.k8s.io/node-csr-bwIRDjbTQuLTI3MmtGZIw5Gz2bFYeQIXynq-kSlFuyQ approved

最后成功加入