Cluster-info ConfigMap does not yet contain a JWS signature

Asking for help? Comment out what you need so we can get more information to help you!

Cluster information:

Kubernetes version: 1.18.12
Cloud being used: bare-metal
Installation method: kubeadm
Host OS: Ubuntu18.04
CNI and version: flannel 0.3.1
CRI and version: Docker 19.3.2

I’ve got an issue joining a master to my HA cluster. This server has been rebuilt due to some other failures and now isn’t joining the cluster

The cluster-info ConfigMap does not yet contain a JWS signature for token ID "b6s9ig", will try again

This is a newly created token and I can see it in the output of kubeadm token list

It seems that new tokens are not being written to the cluster-info configmap. What is the process how this happens? so I can debug further.

In my case I fixed this by deleting the configMap and recreating it

kubectl -n kube-public get cm cluster-info -o yaml > cluster-info.yaml
kubectl -n kube-public delete cm cluster-info
kubectl -n kube-public apply -f cluster-info.yaml

I could then see all the tokens I’ve created today and new tokens were also added

In my case, the problem was that I had configured Kyverno, but I hadn’t got any nodes running Kyverno, so it wasn’t able to validate the update to the ‘cluster-info’ Configmap because of a failing webhook.

I used kubectl get validatingwebhookconfiguration to find the webhooks, then deleted them. Then, kubectl join started to work as expected.


Maybe your problem, is from token timed out.

If you want to sure this problem exist you can run below command

kubeadm token list

If above command does not show anything, your problem is token is timed out.

for resolve your problem, you can do below

kubeadm token create

If you run kubeadm token list again you can see below result

TOKEN                     TTL         EXPIRES                USAGES                   DESCRIPTION                                                EXTRA GROUPS
70jkdh.gx9oiqd7jno56nou   23h         2021-10-25T19:52:59Z   authentication,signing   <none>                                                     system:bootstrappers:kubeadm:default-node-token

As you can see this token has TTL, so after 23h this token was expired.

So before the TTL has comes, you can join another node with result token of above command.

You can see my answer from stackoverflow