Unable to add Node - Lab 3.2
kubeadm join --token 5e0890.01221d0246c8ea8e 10.128.0.4:6443 --discovery-token-ca-cert-hash \
sha256:e3b0c44298fc1c149.......e4649b934ca495991b7852b855
The above command is retruning the following error:
[discovery] Trying to connect to API Server "10.128.0.4:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://10.128.0.4:6443"
[discovery] Failed to connect to API Server "10.128.0.4:6443": cluster CA found in cluster-info configmap is invalid: public key sha256:9b263f52d90b62458a6a6c6.......02ddc34bf26e1ac not pinned
I couldn't find any information about how to resolve this error.
I'm using GCE VM Instances.
Comments
-
Hi,
I notice you are providing one public key in your kubeadm join command: e3b0c4429... and there is a different key in the error output: 9b263f52d90b...
The key in the error output is the expexted key you should have in the kubeadm join command. Try to join with the 9b263f52d90b... key. Basically if you provide the wrong key in the kubeadm join, the error spits out the expected key to join the cluster, which is not something very secure if you asked me...
I just reproduced the error by providing a different key than the one expected...
Good luck!
-Chris
0 -
Node1a - Master:
oracle@k8-node1a:~$ sudo kubeadm token create
5ed1ee.fc9580d58d001c0e
oracle@k8-node1a:~$ sudo kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
5ed1ee.fc9580d58d001c0e 23h 2018-03-21T00:51:28Z authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
oracle@k8-node1a:~$oracle@k8-node1a:~$ openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der> /dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
writing RSA key
oracle@k8-node1a:~$Node2a:
root@k8-node2a:~# kubeadm join --token 5ed1ee.fc9580d58d001c0e 10.128.0.4:6443 --discovery-token-ca-cert-hash \
> sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
[preflight] Running pre-flight checks.
[WARNING FileExisting-crictl]: crictl not found in system path
[discovery] Trying to connect to API Server "10.128.0.4:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://10.128.0.4:6443"
[discovery] Failed to connect to API Server "10.128.0.4:6443": cluster CA found in cluster-info configmap is invalid: public key sha256:9b263f52d90b62458a6a6c6d5d415e9110fc6dcb9bf8392f102ddc34bf26e1ac not pinned
[discovery] Trying to connect to API Server "10.128.0.4:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://10.128.0.4:6443"
[discovery] Failed to connect to API Server "10.128.0.4:6443": cluster CA found in cluster-info configmap is invalid: public key sha256:9b263f52d90b62458a6a6c6d5d415e9110fc6dcb9bf8392f102ddc34bf26e1ac not pinnedroot@k8-node2a:~#
root@k8-node2a:~# kubeadm join --token 5ed1ee.fc9580d58d001c0e 10.128.0.4:6443 --discovery-token-ca-cert-hash \
> sha256:9b263f52d90b62458a6a6c6d5d415e9110fc6dcb9bf8392f102ddc34bf26e1ac
[preflight] Running pre-flight checks.
[WARNING FileExisting-crictl]: crictl not found in system path
[discovery] Trying to connect to API Server "10.128.0.4:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://10.128.0.4:6443"
[discovery] Requesting info from "https://10.128.0.4:6443" again to validate TLS against the pinned public key
[discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server "10.128.0.4:6443"
[discovery] Successfully established connection with API Server "10.128.0.4:6443"This node has joined the cluster:
* Certificate signing request was sent to master and a response
was received.
* The Kubelet was informed of the new secure connection details.Run 'kubectl get nodes' on the master to see this node join the cluster.
root@k8-node2a:~#
Hi Chris,Thanks for your suggestion. I was able to use the key from the error output to join successfully.
I'm not sure why openssl command from Master Node is not returning the key that I should use for kubeadm join.
I've provided the output from Node1a and Node2a.
Regards,
Ram
0 -
Hi Ram,
There are a few characters missing from your 'openssl', my guess is due to copy/paste.
From https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-join/ and from the course/labs manual, the complete 'openssl' is the following:
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'Compare it with yours, try both and see what the difference is... I assume this one will generate the expected hash.
Good luck!
-Chris
1 -
Thanks Chris! Yes, it was missing "2" after der. I got the correct public key now!
oracle@k8-node1a:~$ openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
9b263f52d90b62458a6a6c6d5d415e9110fc6dcb9bf8392f102ddc34bf26e1ac
oracle@k8-node1a:~$0 -
I am glad it worked. With these long commands and lots of piping it is easy to miss a few characters when copy/pasting, and copying from the pdf lab manual is not always seamless either.
What helps me in these cases is pasting the content into a text editor, double-checking for accuracy and only then copy from the editor and paste into the terminal.
0 -
I had a similar issue, but mine was a different typo:
sudo openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | open rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
Notice the second command was
openinstead ofopenssl. Redirecting stderr hid that it was failing
0
Categories
- All Categories
- 177 LFX Mentorship
- 177 LFX Mentorship: Linux Kernel
- 750 Linux Foundation IT Professional Programs
- 373 Cloud Engineer IT Professional Program
- 169 Advanced Cloud Engineer IT Professional Program
- 74 DevOps IT Professional Program - Discontinued
- 4 DevOps & GitOps IT Professional Program
- 99 Cloud Native Developer IT Professional Program
- 7.6K Training Courses & Learning Paths
- 1 AI & ML Training
- 1 Blockchain & Decentralized Identity Training
- 5 Cloud & Containers Training
- 1 Cybersecurity Training
- 2 DevOps & Site-Reliability Training
- 1 Linux Kernel Development Training
- 1 Networking Training
- 2 Open Source Best Practice Training
- 1 System Administration Training
- 1 System Engineering Training
- 1 Web & Application Development Training
- 792 Hardware
- 202 Drivers
- 68 I/O Devices
- 37 Monitors
- 95 Multimedia
- 173 Networking
- 91 Printers & Scanners
- 87 Storage
- 769 Linux Distributions
- 81 Debian
- 68 Fedora
- 22 Linux Mint
- 13 Mageia
- 24 openSUSE
- 150 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 356 Ubuntu
- 465 Linux System Administration
- 31 Cloud Computing
- 73 Command Line/Scripting
- Github systems admin projects
- 98 Linux Security
- 78 Network Management
- 101 System Management
- 46 Web Management
- 106 Mobile Computing
- 18 Android
- 73 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 392 Off Topic
- 121 Introductions
- 181 Small Talk
- 29 Study Material
- 955 Programming and Development
- 310 Kernel Development
- 627 Software Development
- 984 Software
- 376 Applications
- 182 Command Line
- 5 Compiling/Installing
- 68 Games
- 317 Installation
- Archived
- 2 LFD140 Class Forum
- 1.4K LFS258 Class Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)