Page last modified on November 15, 2018 at 2:05 PM PST by Initial commit (Page history)
Bootstrap tokens are used for establishing bidirectional trust between a node joining the cluster and a master node, as described in authenticating with bootstrap tokens.
kubeadm init creates an initial token with a 24-hour TTL. The following commands allow you to manage
such a token and also to create and manage new ones.
Create bootstrap tokens on the server.
This command will create a bootstrap token for you. You can specify the usages for this token, the “time to live” and an optional human friendly description.
The [token] is the actual token to write. This should be a securely generated random token of the form “[a-z0-9]{6}.[a-z0-9]{16}“. If no [token] is given, kubeadm will generate a random token instead.
kubeadm token create [token]
| --config string | |
| Path to kubeadm config file (WARNING: Usage of a configuration file is experimental) | |
| --description string | |
| A human friendly description of how this token is used. | |
| --groups stringSlice Default: [system:bootstrappers:kubeadm:default-node-token] | |
| Extra groups that this token will authenticate as when used for authentication. Must match "\\Asystem:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]\\z" | |
| -h, --help | |
| help for create | |
| --print-join-command | |
| Instead of printing only the token, print the full 'kubeadm join' flag needed to join the cluster using the token. | |
| --ttl duration Default: 24h0m0s | |
| The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire | |
| --usages stringSlice Default: [signing,authentication] | |
| Describes the ways in which this token can be used. You can pass --usages multiple times or provide a comma separated list of options. Valid options: [signing,authentication] | |
| --dry-run | |
| Whether to enable dry-run mode or not | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
| The KubeConfig file to use when talking to the cluster. If the flag is not set a set of standard locations are searched for an existing KubeConfig file | |
Delete bootstrap tokens on the server.
This command will delete a given bootstrap token for you.
The [token-value] is the full Token of the form “[a-z0-9]{6}.[a-z0-9]{16}” or the Token ID of the form “[a-z0-9]{6}” to delete.
kubeadm token delete [token-value]
| -h, --help | |
| help for delete | |
| --dry-run | |
| Whether to enable dry-run mode or not | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
| The KubeConfig file to use when talking to the cluster. If the flag is not set a set of standard locations are searched for an existing KubeConfig file | |
Generate and print a bootstrap token, but do not create it on the server.
This command will print out a randomly-generated bootstrap token that can be used with the “init” and “join” commands.
You don’t have to use this command in order to generate a token. You can do so yourself as long as it is in the format “[a-z0-9]{6}.[a-z0-9]{16}“. This command is provided for convenience to generate tokens in the given format.
You can also use “kubeadm init” without specifying a token and it will generate and print one for you.
kubeadm token generate [flags]
| -h, --help | |
| help for generate | |
| --dry-run | |
| Whether to enable dry-run mode or not | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
| The KubeConfig file to use when talking to the cluster. If the flag is not set a set of standard locations are searched for an existing KubeConfig file | |
List bootstrap tokens on the server.
This command will list all bootstrap tokens for you.
kubeadm token list [flags]
| -h, --help | |
| help for list | |
| --dry-run | |
| Whether to enable dry-run mode or not | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
| The KubeConfig file to use when talking to the cluster. If the flag is not set a set of standard locations are searched for an existing KubeConfig file | |