Task:
Deploy a new worker or master K8s node.
Notes:
- Tokens for worker joins are only good for 24hrs. Uploaded certs from the initial cluster init are only valid 2 hours.
- The control-plane certificate key is needed for additional master/control-plane nodes only.
Steps:
A. Create New Token and Key
1. Open up a new remote SSH tunnel into one of the existing masters.
Confirm no current token exists.
myadmin@k8master2 ~$ kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
<nothing returned>
2. Create the tokens.
Create the "token":
myadmin@k8master2 ~$ sudo kubeadm token create
1cipqr.8zyxj1ab29a012ab0
Create the "disovery-token-ca-cert-hash":
myadmin@k8master2 ~$ openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
7a1a9a33f210ab254321000a12e0af987a12381abc1aa12122ab1af77a141aa1
B. On the Worker(s), Perform the Kubeadm Join
1. Issue the join command on the new worker(s).
On the worker, create a new join command copying-and-pasting the token and discovery-token. Note that the discover-token-ca-cert-hash has a "sha256:" prefix.
myadmin@k8worker22 ~$ kubeadm join --token 1cipqr.8zyxj1ab29a012ab0 k8master2:6443 -discovery-token-ca-cert-hash sha256:7a1a9a33f210ab254321000a12e0af987a12381abc1aa12122ab1af77a141aa1
Note:
If you want to initiate the new node as another master/control-plane add the --control-plane --certificate-key printed from the first master.
myadmin@k8master4 ~ $ kubeadm join --token 1cipqr.8zyxj1ab29a012ab0 k8master2:6443 -discovery-token-ca-cert-hash sha256:7a1a9a33f210ab254321000a12e0af987a12381abc1aa12122ab1af77a141aa1 --control-plane --certificate-key d77d3a12ea19ca27b51c77732b775197e322551a85b27a55cbeca51b77ce3c55
For an example, search for: "K8s HA Practice Cluster" in this support app.
previous page
|