Limited Time Offer!

For Less Than the Cost of a Starbucks Coffee, Access All DevOpsSchool Videos on YouTube Unlimitedly.
Master DevOps, SRE, DevSecOps Skills!

Enroll Now

Detailed explaination of joining Kubernetes Nodes aka workers in Kubernetes master?

Step 1 – Install Docker
https://www.devopsschool.com/tutorial/docker/install-config/
https://www.devopsschool.com/tutorial/docker/install-config/docker-install-commuityedition-centos-rhel.html

Here’s the skeleton of a kubeadm join command for a control plane node:
kubeadm join <endpoint-ip-or-dns>:<port> \
--token <valid-bootstrap-token> \
--discovery-token-ca-cert-hash <ca-cert-sha256-hash> \
--control-plane \
--certificate-key <certificate-key>

And here’s the skeleton of a kubeadm join command for a worker node:
kubeadm join <endpoint-ip-or-dns>:<port> \
--token <valid-bootstrap-token> \
--discovery-token-ca-cert-hash <ca-cert-sha256-hash> \

Step 2 – How to find discovery-token-ca-cert-has in kubernetes master node?

Mehtod 1 – Using openssl



openssl x509 -in /etc/kubernetes/pki/ca.crt -pubkey -noout | openssl pkey -pubin -outform DER | openssl dgst -sha256
or
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'

Method 2 – Using Ansible Python Filter

Reference – https://gist.github.com/randomvariable/e4c43f89afec52fec0dbef6c08621249

Step 3 – How to Gererate kubeadm join “kubeadm token” using kubeadm in master nodes?

Bootstrap tokens are used for establishing bidirectional trust between a node joining the cluster and a control-plane node, as described in authenticating with bootstrap tokens. The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to ‘0’, the token will never expire (default 24h0m0s)

Differenece between kubeadm token create and kubeadm token generate
“kubeadm token create” would Create bootstrap tokens on the server but “kubeadm token generate” would Generate and print a bootstrap token, but do not create it on the server.

kubeadm token generate
This command will print out a randomly-generated bootstrap token that can be used with the “init” and “join” commands. You can also use “kubeadm init” without specifying a token and it will generate and print one for you. The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to ‘0’, the token will never expire (default 24h0m0s)

Create a kubeadm token for 200 hours?
$ kubeadm token create –ttl 24h0m0s

Generate a kubeadm token for life time?
$ kubeadm token create –ttl 0

Step 4 – Replace “172.31.14.69:6443” with API server. –token with kubeadm token and –discovery-token-ca-cert-hash and run following.


$ kubeadm join 172.31.14.69:6443 --token w82oxl.jglf7o8s7c2k4u8x --discovery-token-ca-cert-hash sha256:25d17cb97848f19c5ff6a097d5c18d410d41bff9a4b69cb9885be1ad26caeb16
Rajesh Kumar
Follow me