Environment 环境A standalone or Rancher-provisioned K3s or RKE2 cluster独立或 Rancher 配置的 K3s 或 RKE2 集群Answer 答案The token format, including the difference between the secure (long) and short formats, is detailed in the K3s and RKE2 documentation.令牌格式包括安全长格式和短格式之间的区别详见 K3s 和 RKE2 文档。In summary, the secure format is preferred, as it enables the client to authenticate the identity of the cluster it is joining, before sending credentials.总之安全格式更受青睐因为它允许客户端在发送凭证前验证其加入集群的身份。Note:Unless custom CA certificates are in use, the secure token can only be determined after the first server node has been started. This is because the cluster CA hash cannot be known until after the server has generated the self-signed cluster CA certificates.注除非使用自定义 CA 证书否则安全令牌只能在第一个服务器节点启动后确定。这是因为集群 CA 哈希在服务器生成自签名集群 CA 证书之前无法得知。The token format has an impact on managing CA rotation. If nodes are joined using the secure token, they are tied to the specific CA hash. This means that a CA rotation requires reconfiguration of those nodes, to update the token. If nodes are joined using the short token format, the nodes will not be tied to the CA hash. This would remove the need to update the token on nodes during a CA rotation; however, it is less secure, as noted above.代币格式影响了 CA 轮换的管理。如果节点通过 安全令牌连接 它们会绑定到特定的 CA 哈希值。这意味着 CA 轮换需要重新配置这些节点以更新令牌 。如果节点使用短令牌格式连接 节点不会绑定到 CA 哈希 。这将消除在 CA 轮换期间更新节点令牌的需求; 然而 正如上文所述它的安全性较低。访问Rancher-K8S解决方案博主企业合作伙伴 https://blog.csdn.net/lidw2009