How to create Kubeadm token for joining nodes with 24H expiration? Kubernetes is one of the most widely used container orchestration tools for deploying and managing containerized applications. kubeadm is a popular tool within Kubernetes that facilitates the method of setting up a Kubernetes cluster. One of the key steps in creating a cluster with kubeadm is generating tokens to allow worker nodes to join the cluster securely. In this article, we’ll explore how to create a kubeadm token specifically configured to expire in 24 hours.
What is a kubeadm Token?
A kubeadm token is a secure string used by kubeadm to establish trust between the control plane and worker nodes when they join the Kubernetes cluster. These tokens are temporary and can be customized in terms of their lifespan and usage.
Tokens are crucial for:
- Authenticating Worker Nodes: kubeadm tokens ensure that only trusted worker nodes can join the cluster.
- Configuring Security: Tokens are bound to certain restrictions, such as time-to-live (TTL), making them more secure for temporary use.
Why Use a Token with a 24-Hour Expiration?
When managing a Kubernetes cluster, short-lived tokens provide better security. A 24-hour expiration ensures that the token is not valid indefinitely, reducing the risk of unauthorized access. For example, if a token is exposed or compromised, its validity period limits potential misuse.
Prerequisites
Before creating a kubeadm token, ensure you have the following:
- A Kubernetes cluster set up with kubeadm.
- Administrative access to the control plane node.
- kubeadm installed and configured on your system.
- Basic familiarity with command-line tools.
Steps How to Create Kubeadm Token for Joining Nodes with 24H Expiration?
Follow these steps to generate a kubeadm token that expires after 24 hours:
Step 1: Access the Control Plane Node
Log in to the control plane node to your Kubernetes cluster. This is the node where kubeadm was initially used to set up the cluster.
ssh user@control-plane-node
Replace user with your username & control-plane-node with the hostname or IP address of the control plane node.
Step 2: Generate a New Token
Use the following kubeadm command to generate a new token with a individualize expiration time:
kubeadm token create –ttl=24h
Here’s a breakdown of the command:
- kubeadm token create: Generates a new token.
- –ttl=24h: Sets the token’s time-to-live to 24 hours.
Example output:
abcdef.0123456789abcdef
The output is your token. It consists of two parts separated by a dot: a token ID & a token secret.
Step 3: Retrieve the Cluster’s Join Configuration
When a worker node joins the cluster, it requires the address of the control plane and a secure key. Retrieve the cluster’s join configuration with:
kubeadm config view | grep certificate-key
Alternatively, ensure you have access to the join command details, including the API server’s address and port.
Step 4: Verify the Token
To confirm that the token has been created and verify its expiration time, use the following command:
kubeadm token list
Example output:
TOKEN – abcdef.0123456789abcdef
TTL – 23h59m
EXPIRES – Dec 25, 2024, 10:00AM
USAGES – authentication, signing
DESCRIPTION – <none>
The output includes:
- TOKEN: The token value.
- TTL: The time-to-live of the token.
- EXPIRES: The exact expiration date and time.
- USAGES: Indicates how the token can be used.
Step 5: Join Worker Nodes
On the worker node(s) you want to join to the cluster, use the kubeadm join command. Include the token, control plane’s API address, & discovery hash.
Example command:
kubeadm join <control-plane-ip>:6443 –token abcdef.0123456789abcdef –discovery-token-ca-cert-hash sha256:<hash>
Replace:
- <control-plane-ip>: Internet Protocol address or hostname of the control plane.
- <hash>: The SHA-256 hash of the CA certificate.
Managing Tokens
Deleting a Token
If you want to remove an existing token before it expires, use the following command:
kubeadm token delete <token-id>
Replace <token-id> with the identity of the token you want to delete.
Regenerating Discovery Token CA Cert Hash
If you lose the –discovery-token-ca-cert-hash standard, regenerate it with:
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | awk ‘{print $2}’
This command outputs the required hash to be included in the kubeadm join command.
Troubleshooting
Error: “Unauthorized”
This error occurs if the token is invalid or has expired. To resolve this:
- Verify the token’s validity using kubeadm token list.
- Generate a new token with kubeadm token create –ttl=24h.
Error: “Discovery Failed”
This issue typically arises from an incorrect –discovery-token-ca-cert-hash. Ensure the hash is correct and regenerated if necessary.
Security Best Practices
- Use Short-Lived Tokens: Set appropriate TTL values for tokens to limit exposure.
- Rotate Tokens Regularly: Delete and regenerate tokens periodically to enhance security.
- Limit Token Scope: Use tokens only for specific purposes and restrict unnecessary permissions.
Conclusion
How to create Kubeadm token for joining nodes with 24H expiration is a straightforward process that enhances the security of your Kubernetes cluster. By following the steps outlined above, you can generate, manage, and use tokens effectively to join worker nodes to your cluster. Remember to monitor and rotate tokens regularly to maintain a secure environment. With these best practices, your Kubernetes cluster can remain robust and secure.