Channels
extensions
rancher-extensions
supermicro-sixsq
ozt
os
one-point-x
rio
onlinemeetup
v16-v21-migration
events
onlinetraining
training-1220
training-0110
training-0124
k3s-contributor
submariner
storage
k3os
windows
ci-cd
theranchcast
rfed_ara
nederlands
ukranian
danish
training-0131
masterclass
training-0207
training-0214
terraform-controller
epinio
phillydotnet
swarm
rancher-wrangler
deutsch
russian
chinese
mesos
français
japanese
arm
longhorn-dev
terraform-provider-rke
service-mesh
azure
gcp
academy
random
elemental
espanol
lima
harvester-dev
portugues
kubernetes
kim
hypper
kubewarden
opni
logging
neuvector-security
rancher-setup
developer
office-hours
mexico
cabpr
rke
vsphere
longhorn-storage
k3s
k3d
terraform-provider-rancher2
fleet
amazon
harvester
rke2
s3gw
hobbyfarm
rancher-desktop
general
Title
c
colossal-action-96650
12/27/2022, 3:44 PMHello,
Background: 13 node bare-metal Raspberry Pi 4 based cluster, 1 master, 12 workers. Running K3s v1.24.8+k3s1 for compatibility with Rancher management UI. I’m doing this to learn Kubernetes.
I’m trying to add 2 more master nodes. After working through various goofs of my own (failed to match K3s version and launching with the same flags as the original master), I believe I got all of that straightened out. The respective .service files indicate as such, anyway.
However, when I attempt to add these 2 nodes as master, I get the following error in the logs:
2477 authentication.go:63] "Unable to authenticate the request" err="[invalid bearer token, [invalid bearer token, square/go-jose: error in cryptographic primitive]]"kubectl get nodesc
creamy-pencil-82913
12/27/2022, 8:11 PMThat suggests that the other nodes have invalid certs, probably not shared with the first one. Are you using embedded etcd, or an external DB?
I suspect you may have started them up as standalone servers at some point, and they are running pods with secrets from that configuration, instead of from the desired cluster
I would (one at a time) run the uninstall script, delete them from the cluster, then reinstall and rejoin.
c
colossal-action-96650
12/27/2022, 8:37 PMthanks for the reply!
i am [attempting] to run embedded etcd
i have uninstalled using the script and reinstalled numerous times to no avail. i have also verified the absence of
/var/lib/rancher/k3scurl -sfL <https://get.k3s.io> | INSTALL_K3S_VERSION=v1.24.8+k3s1 INSTALL_K3S_EXEC="--disable traefik --disable servicelb --kube-controller-manager-arg bind-address=0.0.0.0 --kube-proxy-arg metrics-bind-address=0.0.0.0 --kube-scheduler-arg bind-address=0.0.0.0 --etcd-expose-metrics true --kubelet-arg containerd=/run/k3s/containerd/containerd.sock" K3S_TOKEN=[token] sh -s - server --server <https://10.3.14.2:6443>server--serverc
creamy-pencil-82913
12/27/2022, 8:52 PMsomething running somewhere in the cluster has a serviceaccount token that was signed by a different key. That’s all I can tell from that error. The most common cause of that is one of the control-plane nodes having a serviceaccount issuer key that is out of sync with the others.
c
colossal-action-96650
12/27/2022, 9:05 PMright now there is just the one etcd/controlplane node. in my Googlings, about the only suggestion I found was to delete all service accounts and restart K3s, which I did, but again, no luck. If my install command has a flaw, that could explain why that didn't work. Is the command above good or should I remove one of the
serverc
creamy-pencil-82913
12/28/2022, 12:46 AMthere are not two server flags. You have
serverk3s server--server=<https://x:6443>c
colossal-action-96650
12/28/2022, 3:25 PMok, so the command is good? any advice how to proceed? again, I'm fairly new and trying to learn. Would rotating the certificates work maybe?