This is the multi-page printable view of this section.
Click here to print.
Return to the regular view of this page.
Manage bootstrap tokens
Synopsis
This command manages bootstrap tokens. It is optional and needed only for advanced use cases.
In short, bootstrap tokens are used for establishing bidirectional trust between a client and a server.
A bootstrap token can be used when a client (for example a node that is about to join the cluster) needs
to trust the server it is talking to. Then a bootstrap token with the "signing" usage can be used.
bootstrap tokens can also function as a way to allow short-lived authentication to the API Server
(the token serves as a way for the API Server to trust the client), for example for doing the TLS Bootstrap.
What is a bootstrap token more exactly?
- It is a Secret in the kube-system namespace of type "bootstrap.kubernetes.io/token".
- A bootstrap token must be of the form "[a-z0-9]{6}.[a-z0-9]{16}". The former part is the public token ID,
while the latter is the Token Secret and it must be kept private at all circumstances!
- The name of the Secret must be named "bootstrap-token-(token-id)".
You can read more about bootstrap tokens here:
https://kubernetes.io/docs/admin/bootstrap-tokens/
kubeadm token [flags]
Options
| --dry-run |
| Whether to enable dry-run mode or not |
| -h, --help |
| help for token |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
Options inherited from parent commands
| --rootfs string |
| The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. |
1 -
Create bootstrap tokens on the server
Synopsis
This command will create a bootstrap token for you.
You can specify the usages for this token, the "time to live" and an optional human friendly description.
The [token] is the actual token to write.
This should be a securely generated random token of the form "[a-z0-9]{6}.[a-z0-9]{16}".
If no [token] is given, kubeadm will generate a random token instead.
kubeadm token create [token]
Options
| --certificate-key string |
| When used together with '--print-join-command', print the full 'kubeadm join' flag needed to join the cluster as a control-plane. To create a new certificate key you must use 'kubeadm init phase upload-certs --upload-certs'. |
| --config string |
| Path to a kubeadm configuration file. |
| --description string |
| A human friendly description of how this token is used. |
| --groups strings Default: "system:bootstrappers:kubeadm:default-node-token" |
| Extra groups that this token will authenticate as when used for authentication. Must match "\Asystem:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]\z" |
| -h, --help |
| help for create |
| --print-join-command |
| Instead of printing only the token, print the full 'kubeadm join' flag needed to join the cluster using the token. |
| --ttl duration Default: 24h0m0s |
| The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire |
| --usages strings Default: "signing,authentication" |
| Describes the ways in which this token can be used. You can pass --usages multiple times or provide a comma separated list of options. Valid options: [signing,authentication] |
Options inherited from parent commands
| --dry-run |
| Whether to enable dry-run mode or not |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
| --rootfs string |
| The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. |
2 -
Delete bootstrap tokens on the server
Synopsis
This command will delete a list of bootstrap tokens for you.
The [token-value] is the full Token of the form "[a-z0-9]{6}.[a-z0-9]{16}" or the
Token ID of the form "[a-z0-9]{6}" to delete.
kubeadm token delete [token-value] ...
Options
| -h, --help |
| help for delete |
Options inherited from parent commands
| --dry-run |
| Whether to enable dry-run mode or not |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
| --rootfs string |
| The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. |
3 -
Generate and print a bootstrap token, but do not create it on the server
Synopsis
This command will print out a randomly-generated bootstrap token that can be used with
the "init" and "join" commands.
You don't have to use this command in order to generate a token. You can do so
yourself as long as it is in the format "[a-z0-9]{6}.[a-z0-9]{16}". This
command is provided for convenience to generate tokens in the given format.
You can also use "kubeadm init" without specifying a token and it will
generate and print one for you.
kubeadm token generate [flags]
Options
| -h, --help |
| help for generate |
Options inherited from parent commands
| --dry-run |
| Whether to enable dry-run mode or not |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
| --rootfs string |
| The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. |
4 -
List bootstrap tokens on the server
Synopsis
This command will list all bootstrap tokens for you.
kubeadm token list [flags]
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| -h, --help |
| help for list |
| -o, --output string Default: "text" |
| Output format. One of: text|json|yaml|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
Options inherited from parent commands
| --dry-run |
| Whether to enable dry-run mode or not |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
| --rootfs string |
| The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. |