kubeadm token

Bootstrap tokens are used for establishing bidirectional trust between a node joining the cluster and a control-plane node, as described in authenticating with bootstrap tokens.

kubeadm init creates an initial token with a 24-hour TTL. The following commands allow you to manage such a token and also to create and manage new ones.

kubeadm token create

Create bootstrap tokens on the server

Synopsis

This command will create a bootstrap token for you. You can specify the usages for this token, the “time to live” and an optional human friendly description.

The [token] is the actual token to write. This should be a securely generated random token of the form “[a-z0-9]{6}.[a-z0-9]{16}”. If no [token] is given, kubeadm will generate a random token instead.

  1. kubeadm token create [token]

Options

—certificate-key string

When used together with ‘—print-join-command’, print the full ‘kubeadm join’ flag needed to join the cluster as a control-plane. To create a new certificate key you must use ‘kubeadm init phase upload-certs —upload-certs’.

—config string

Path to a kubeadm configuration file.

—description string

A human friendly description of how this token is used.

—groups strings     Default: “system:bootstrappers:kubeadm:default-node-token”

Extra groups that this token will authenticate as when used for authentication. Must match “\Asystem:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]\z”

-h, —help

help for create

—print-join-command

Instead of printing only the token, print the full ‘kubeadm join’ flag needed to join the cluster using the token.

—ttl duration     Default: 24h0m0s

The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to ‘0’, the token will never expire

—usages strings     Default: “signing,authentication”

Describes the ways in which this token can be used. You can pass —usages multiple times or provide a comma separated list of options. Valid options: [signing,authentication]

Options inherited from parent commands

—dry-run

Whether to enable dry-run mode or not

—kubeconfig string     Default: “/etc/kubernetes/admin.conf”

The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.

—rootfs string

The path to the ‘real’ host root filesystem. This will cause kubeadm to chroot into the provided path.

kubeadm token delete

Delete bootstrap tokens on the server

Synopsis

This command will delete a list of bootstrap tokens for you.

The [token-value] is the full Token of the form “[a-z0-9]{6}.[a-z0-9]{16}” or the Token ID of the form “[a-z0-9]{6}” to delete.

  1. kubeadm token delete [token-value] ...

Options

-h, —help

help for delete

Options inherited from parent commands

—dry-run

Whether to enable dry-run mode or not

—kubeconfig string     Default: “/etc/kubernetes/admin.conf”

The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.

—rootfs string

The path to the ‘real’ host root filesystem. This will cause kubeadm to chroot into the provided path.

kubeadm token generate

Generate and print a bootstrap token, but do not create it on the server

Synopsis

This command will print out a randomly-generated bootstrap token that can be used with the “init” and “join” commands.

You don’t have to use this command in order to generate a token. You can do so yourself as long as it is in the format “[a-z0-9]{6}.[a-z0-9]{16}”. This command is provided for convenience to generate tokens in the given format.

You can also use “kubeadm init” without specifying a token and it will generate and print one for you.

  1. kubeadm token generate [flags]

Options

-h, —help

help for generate

Options inherited from parent commands

—dry-run

Whether to enable dry-run mode or not

—kubeconfig string     Default: “/etc/kubernetes/admin.conf”

The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.

—rootfs string

The path to the ‘real’ host root filesystem. This will cause kubeadm to chroot into the provided path.

kubeadm token list

List bootstrap tokens on the server

Synopsis

This command will list all bootstrap tokens for you.

  1. kubeadm token list [flags]

Options

—allow-missing-template-keys     Default: true

If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.

-h, —help

help for list

-o, —output string     Default: “text”

Output format. One of: text|json|yaml|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file.

—show-managed-fields

If true, keep the managedFields when printing objects in JSON or YAML format.

Options inherited from parent commands

—dry-run

Whether to enable dry-run mode or not

—kubeconfig string     Default: “/etc/kubernetes/admin.conf”

The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.

—rootfs string

The path to the ‘real’ host root filesystem. This will cause kubeadm to chroot into the provided path.

What’s next

  • kubeadm join to bootstrap a Kubernetes worker node and join it to the cluster