Kubeadm: "kubeadm join" fails as part of the token is emitted by kubeadm
Is this a request for help? NO
If yes, you should use our troubleshooting guide and community support channels, see http://kubernetes.io/docs/troubleshooting/.
If no, delete this section and continue on.
Is this a BUG REPORT or FEATURE REQUEST? BUG REPORT
Choose one: BUG REPORT or FEATURE REQUEST
Versions
kubeadm version (use kubeadm version): 1.12
Environment:
- Kubernetes version (use
kubectl version):1.12 - Cloud provider or hardware configuration: openstackvm
- OS (e.g. from /etc/os-release): centos7
- Kernel (e.g.
uname -a):3.10.0-862.11.6.el7.x86_64 - Others:
What happened?
Kubeadm join does not accept token. It takes only the first 5 characters and emits everything after "." and fails to join the cluster.
kubeadm join --token "p3wt5t.4fwbefoc5dyhrxyz" --discovery-token-ca-cert-hash sha256:XXXXXX master:6443
Failed to connect to API Server "master:6443": token id "p3wt5t" is invalid for this cluster or it has expired. Use "kubeadm token create" on the master node to creating a new valid token
What you expected to happen?
Node join the cluster
How to reproduce it (as minimally and precisely as possible)?
Create a kubernetes cluster with kubeadm and external etcd As described here https://v1-11.docs.kubernetes.io/docs/setup/independent/high-availability/#external-etcd
Anything else we need to know?
sujithbhaskaran
All 8 comments
@sujithbhaskaran according to the code first part of the token is a token id, second part is a secret. When kubeadm tries to connect to API server it uses full token. However, when it fails to connect to API server it reports only token id.
Could it be that your token expired? Can you try to follow kubeadm suggestion and create new token?
bart0sh
on 8 Oct 2018
/priority awaiting-more-evidence
neolit123
on 9 Oct 2018
I tried with the new token but the same issue.
sujithbhaskaran
on 9 Oct 2018
what happens if you use the real IP of the master node?
neolit123
on 9 Oct 2018
fyi, I tested (and automated it), and works as expected.
generate token and hash:
https://github.com/ReSearchITEng/kubeadm-playbook/blob/master/roles/master/tasks/main.yml
consume them (join):
https://github.com/ReSearchITEng/kubeadm-playbook/blob/master/roles/node/tasks/main.yml
tested in both k8s 1.12.0 and 1.12.1
ReSearchITEng
on 10 Oct 2018
I will test this again and update.
On Wed, Oct 10, 2018 at 12:31 AM ReSearchITEng notifications@github.com
wrote:
fyi, I tested (and automated it), and works as expected.
generate token and hash:https://github.com/ReSearchITEng/kubeadm-playbook/blob/master/roles/master/tasks/main.yml
consume them (join):https://github.com/ReSearchITEng/kubeadm-playbook/blob/master/roles/node/tasks/main.yml
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/kubernetes/kubeadm/issues/1161#issuecomment-428467858,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AjnXMDEadR66krm5aWCb_z1Uqh0fdKlLks5ujaJegaJpZM4XL-QV
.
--
Thanks & Regards
Sujith Bhaskaran
650-653-2093
http://smart.salesforce.com/sig/sbhaskaran//us_mb/default/link.html
sujithbhaskaran
on 10 Oct 2018
Closing due to timeout and counter-evidence from numerous users.
timothysc
on 25 Oct 2018
I know this ticket is closed but i found the great solution
Step # 1 Generate new token
root@k8master:~# kubeadm token generate --kubeconfig /etc/kubernetes/admin.conf
list the token
root@k8master:~# kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
k1fw6r.hseqjtg6lxvw50wc 23h 2019-01-24T19:35:51-08:00 authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
Get the public to validate token
root@k8master:~# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
Output Would be something like this
"XXXXXXXXXXXb9ff2aa46bXXXX3419e8b5086XXXXXXXXXXXXXXXXXXXX"
mansurali901
on 24 Jan 2019
Related issues
kvaps
·
3Comments
RakeshNagarajan
·
4Comments
tmjd
·
4Comments
mattmoyer
·
4Comments
danderson
·
3Comments