A new node can only join a Kubernetes cluster by providing “token” and “discovery-token-ca-cert-hash”. We are going to show how to generate those values. Those hashes are temporary and a token expires in 24h.

The commands below were executed with "kubeadm" on the cluster's control-panel.

Generate a new "token"

List existing tokens:

kubeadm token list
                    

If the above does not display anything, you have to create a new token:

kubeadm token generate
                    

Output example:

7nx60l.fy8n4s8p6ruz8uiu
                    

Copy that value and use it as follows:

kubeadm token create 7nx60l.fy8n4s8p6ruz8uiu
                    

A token is generated, valid for 24h. We should see it in the list of tokens:

kubeadm token list
                    

Generate a new "discovery-token-ca-cert-hash"

Run this command:

openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
                    

Output example:

3afa7b092bdb7b8c154f8ab9bc0ebd67586c4d3f59b4028ef0036d39674ade2f
                    

You can use the generated "discovery-token-ca-cert-hash" and "token" to join an existing Kubernetes node.