I setup a Kubernetes cluster last week and added two nodes.  Today I’m attempting to add 2 more nodes, but getting an error Failed to connect to API Server.

We’re running

CentOS 7.4
Kubernetes 1.9

These are the steps to reproduce the error.  Install a new cluster, then 1 week later attempt to add another node.  This is the join command:

$ kubeadm join --token 111111.22222222 10.8.236.201:6443 --discovery-token-ca-cert-hash sha256:xxxxxxxxxxxxxx

Then I get the error:

[preflight] Running pre-flight checks.
	[WARNING FileExisting-crictl]: crictl not found in system path
[discovery] Trying to connect to API Server "10.8.236.201:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://10.8.236.201:6443"
[discovery] Failed to connect to API Server "10.8.236.201:6443": there is no JWS signed token in the cluster-info ConfigMap. This token id "xxxx" is invalid for this cluster, can't connect

This error is the token is no longer valid.  When you originally created your master with kubadm init there was a token created, however that token was only valid for 24 hours. Me like everyone else forgets this message and you end up getting the same error message.

To correct the issue you need to generate a new token to allow joining, use

$ kubeadm token create 

This command returns a new token.

Now use that one and re-run your join command previously

$ kubeadm join --token NEWTOKEN 10.8.236.201:6443 --discovery-token-ca-cert-hash sha256:xxxxxxxxxxxxxx

You’re results should look something like this:

[preflight] Running pre-flight checks.
	[WARNING FileExisting-crictl]: crictl not found in system path
[discovery] Trying to connect to API Server "10.8.236.201:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://10.8.236.201:6443"
[discovery] Requesting info from "https://10.8.236.201:6443" again to validate TLS against the pinned public key
[discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server "10.8.236.201:6443"
[discovery] Successfully established connection with API Server "10.8.236.201:6443"

This node has joined the cluster:
* Certificate signing request was sent to master and a response
  was received.
* The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the master to see this node join the cluster.

Now you’re successfully joined another node into your cluster. You can run

kubectl get nodes

To see this new node is added to the cluster and becomes ready after a short amount of time.