kubernetes: 如何自动生成join master的命令

Token有效期

通过kubeadm init初始化时，会提供加入master节点所需的命令，包含Token和ca证书的sha256的散列值，但这个Token值仅有24小时的有效期。

[root@host10-30-21-63 cluster-setup]# kubeadm token list
TOKEN                     TTL         EXPIRES                     USAGES                   DESCRIPTION   EXTRA GROUPS
70fapb.wu0096qfww2obbks   23h         2019-04-11T15:43:21+08:00   authentication,signing           system:bootstrappers:kubeadm:default-node-token
yzh65b.qxszl94qknmvhzpx      2019-04-10T10:30:27+08:00   authentication,signing           system:bootstrappers:kubeadm:default-node-token

如果超过了24小时，则需要重新生成Token。

自动生成join master的命令

因为每次过期都需要重新生成Token，记录join master命令也比较复杂。提供下列的脚本，可以非常方便的生成join master所需的命令：

#!/bin/bash

if [ $EUID -ne 0 ];then
    echo "You must be root (or sudo) to run this script"
    exit 1
fi

if [ $# != 1 ] ; then
    echo "Usage: $0 [master-hostname | master-ip-address]"
    echo " e.g.: $0 api.k8s.hiko.im"
    exit 1;
fi

token=`kubeadm token create`
cert_hash=`openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'`

echo "Refer the following command to join kubernetes cluster:"
echo "kubeadm join $1:6443 --token ${token} --discovery-token-ca-cert-hash sha256:${cert_hash}"

通过提供一个master域名或IP地址，即可非常方便的生成命令：

[jinguang1@host10-30-21-63 cluster-setup]$ sudo ./generate_join_command.sh  api.k8s.hiko.im
Refer the following command to join kubernetes cluster:
kubeadm join api.k8s.hiko.im:6443 --token 70fapb.wu0096qfww2obbks --discovery-token-ca-cert-hash sha256:b33fb5d58524e2822c8caeef2cc742885759a43b8091a39a9aa45e31xxxxxxxx

参考资料

1. https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-token/