Manage bootstrap tokens
Synopsis
This command manages bootstrap tokens. It is optional and needed only for advanced use cases.
In short, bootstrap tokens are used for establishing bidirectional trust between a client and a server.
A bootstrap token can be used when a client (for example a node that is about to join the cluster) needs
to trust the server it is talking to. Then a bootstrap token with the "signing" usage can be used.
bootstrap tokens can also function as a way to allow short-lived authentication to the API Server
(the token serves as a way for the API Server to trust the client), for example for doing the TLS Bootstrap.
What is a bootstrap token more exactly?
- It is a Secret in the kube-system namespace of type "bootstrap.kubernetes.io/token".
- A bootstrap token must be of the form "[a-z0-9]{6}.[a-z0-9]{16}". The former part is the public token ID,
while the latter is the Token Secret and it must be kept private at all circumstances!
- The name of the Secret must be named "bootstrap-token-(token-id)".
You can read more about bootstrap tokens here:
https://kubernetes.io/docs/admin/bootstrap-tokens/
kubeadm token [flags]
Options
| --dry-run |
| Whether to enable dry-run mode or not |
| -h, --help |
| help for token |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
Options inherited from parent commands
| --rootfs string |
| The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. |
1 -
Create bootstrap tokens on the server
Synopsis
This command will create a bootstrap token for you.
You can specify the usages for this token, the "time to live" and an optional human friendly description.
The [token] is the actual token to write.
This should be a securely generated random token of the form "[a-z0-9]{6}.[a-z0-9]{16}".
If no [token] is given, kubeadm will generate a random token instead.
kubeadm token create [token]
Options
| --certificate-key string |
| When used together with '--print-join-command', print the full 'kubeadm join' flag needed to join the cluster as a control-plane. To create a new certificate key you must use 'kubeadm init phase upload-certs --upload-certs'. |
| --config string |
| Path to a kubeadm configuration file. |
| --description string |
| A human friendly description of how this token is used. |
| --groups strings Default: "system:bootstrappers:kubeadm:default-node-token" |
| Extra groups that this token will authenticate as when used for authentication. Must match "\Asystem:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]\z" |
| -h, --help |
| help for create |
| --print-join-command |
| Instead of printing only the token, print the full 'kubeadm join' flag needed to join the cluster using the token. |
| --ttl duration Default: 24h0m0s |
| The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire |
| --usages strings Default: "signing,authentication" |
| Describes the ways in which this token can be used. You can pass --usages multiple times or provide a comma separated list of options. Valid options: [signing,authentication] |
Options inherited from parent commands
| --dry-run |
| Whether to enable dry-run mode or not |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
| --rootfs string |
| The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. |
2 -
Delete bootstrap tokens on the server
Synopsis
This command will delete a list of bootstrap tokens for you.
The [token-value] is the full Token of the form "[a-z0-9]{6}.[a-z0-9]{16}" or the
Token ID of the form "[a-z0-9]{6}" to delete.
kubeadm token delete [token-value] ...
Options
| -h, --help |
| help for delete |
Options inherited from parent commands
| --dry-run |
| Whether to enable dry-run mode or not |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
| --rootfs string |
| The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. |
3 -
Generate and print a bootstrap token, but do not create it on the server
Synopsis
This command will print out a randomly-generated bootstrap token that can be used with
the "init" and "join" commands.
You don't have to use this command in order to generate a token. You can do so
yourself as long as it is in the format "[a-z0-9]{6}.[a-z0-9]{16}". This
command is provided for convenience to generate tokens in the given format.
You can also use "kubeadm init" without specifying a token and it will
generate and print one for you.
kubeadm token generate [flags]
Options
| -h, --help |
| help for generate |
Options inherited from parent commands
| --dry-run |
| Whether to enable dry-run mode or not |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
| --rootfs string |
| The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. |
4 -
List bootstrap tokens on the server
Synopsis
This command will list all bootstrap tokens for you.
kubeadm token list [flags]
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| -h, --help |
| help for list |
| -o, --output string Default: "text" |
| Output format. One of: text|json|yaml|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
Options inherited from parent commands
| --dry-run |
| Whether to enable dry-run mode or not |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
| --rootfs string |
| The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. |