Bootstrap tokens are used for establishing bidirectional trust between a node joining the cluster and a master node, as described in authenticating with bootstrap tokens.
kubeadm init
creates an initial token with a 24-hour TTL. The following commands allow you to manage
such a token and also to create and manage new ones.
Create bootstrap tokens on the server.
This command will create a bootstrap token for you. You can specify the usages for this token, the “time to live” and an optional human friendly description.
The [token] is the actual token to write. This should be a securely generated random token of the form “[a-z0-9]{6}.[a-z0-9]{16}“. If no [token] is given, kubeadm will generate a random token instead.
kubeadm token create [token]
--config string | |
Path to kubeadm config file (WARNING: Usage of a configuration file is experimental) | |
--description string | |
A human friendly description of how this token is used. | |
--groups stringSlice Default: [system:bootstrappers:kubeadm:default-node-token] | |
Extra groups that this token will authenticate as when used for authentication. Must match "\\Asystem:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]\\z" | |
-h, --help | |
help for create | |
--print-join-command | |
Instead of printing only the token, print the full 'kubeadm join' flag needed to join the cluster using the token. | |
--ttl duration Default: 24h0m0s | |
The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire | |
--usages stringSlice Default: [signing,authentication] | |
Describes the ways in which this token can be used. You can pass --usages multiple times or provide a comma separated list of options. Valid options: [signing,authentication] |
--dry-run | |
Whether to enable dry-run mode or not | |
--kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
The KubeConfig file to use when talking to the cluster. If the flag is not set a set of standard locations are searched for an existing KubeConfig file |
Delete bootstrap tokens on the server.
This command will delete a given bootstrap token for you.
The [token-value] is the full Token of the form “[a-z0-9]{6}.[a-z0-9]{16}” or the Token ID of the form “[a-z0-9]{6}” to delete.
kubeadm token delete [token-value]
-h, --help | |
help for delete |
--dry-run | |
Whether to enable dry-run mode or not | |
--kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
The KubeConfig file to use when talking to the cluster. If the flag is not set a set of standard locations are searched for an existing KubeConfig file |
Generate and print a bootstrap token, but do not create it on the server.
This command will print out a randomly-generated bootstrap token that can be used with the “init” and “join” commands.
You don’t have to use this command in order to generate a token. You can do so yourself as long as it is in the format “[a-z0-9]{6}.[a-z0-9]{16}“. This command is provided for convenience to generate tokens in the given format.
You can also use “kubeadm init” without specifying a token and it will generate and print one for you.
kubeadm token generate [flags]
-h, --help | |
help for generate |
--dry-run | |
Whether to enable dry-run mode or not | |
--kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
The KubeConfig file to use when talking to the cluster. If the flag is not set a set of standard locations are searched for an existing KubeConfig file |
List bootstrap tokens on the server.
This command will list all bootstrap tokens for you.
kubeadm token list [flags]
-h, --help | |
help for list |
--dry-run | |
Whether to enable dry-run mode or not | |
--kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
The KubeConfig file to use when talking to the cluster. If the flag is not set a set of standard locations are searched for an existing KubeConfig file |