Kubernetes: unable to join a remote master node

Question

Hello I am facing a kubeadm join problem on a remote server.

I want to create a multi-server, multi-node Kubernetes Cluster. I created a vagrantfile to create a master node and N workers. It works on a single server.

The master VM is a bridge Vm, to make it accessible to the other available Vms on the network.

I choose Calico as a network provider.

For the Master node this's what I've done: Using ansible :

1. Initialize Kubeadm.

2. Installing a network provider.

3. Create the join command.

For Worker node:

4. I execute the join command to join the running master.

I created successfully the cluster on one single hardware server. I am trying to create regular worker nodes on another server on the same LAN, I ping to the master successfully.

To join the Master node using the generated command.

kubeadm join 192.168.2.50:6443 --token ecqb8f.jffj0hzau45b4ro2   
--ignore-preflight-errors all  
--discovery-token-ca-cert-hash 
sha256:94a0144fe419cfb0cb70b868cd43pbd7a7bf45432b3e586713b995b111bf134b

But it showed this error:

error execution phase preflight: couldn't validate the identity of the API Server: 
could not find a JWS signature in the cluster-info ConfigMap for token ID "ecqb8f"

I am asking if there is any specific network configuration to join the remote master node.

Answer 1

It seems token is expired or removed. You can create token manually by running:

kubeadm token create --print-join-command

Use the output as join command.

Answer 2

If you see the output as: " error execution phase preflight: couldn't validate the identity of the API Server: could not find a JWS signature in the cluster-info ConfigMap for token ID "s1isfw" To see the stack trace of this error execute with --v=5 or higher " on a node while joining k8s cluster.

Reason: This issue arises when the token is expired. TTL for token is 23 hours by default, since the time they've been generated, either when kubeadm init is done or generated separately.

In such a case, you can first check if the token you're using for joining the worker to master can be retrieved by command on master :

kubeadm token list

Steps:

Case 1). if you see NO OUTPUT of the above command, then the best deal is to generate token again from master:

1. on master execute: kubeadm token create --print-join-command

2. copy everything and structure if necessary and execute this as a command on worker node.

3. Check the nodes from master. This worker should now have joined the cluster.

Case 2). if you see an output with

TOKEN, TTL, EXPIRES, USAGES, DESCRIPTION, EXTRA GROUPS.

1. Check the host entries and pinging among the nodes (master and workers). (firewall could also cause this.) use this token again on the workers.

OR go with case 1.

Just wanted to add 1 more thing :
DO NOT USE --ignore-preflight-errors all

as nodes(master to work) commands would show errors later. In my env, I do not use this.