Kubernetes generate new tokens
by Alex Arica

A new node can only join a Kubernetes cluster by providing “token” and “discovery-token-ca-cert-hash”. We are going to show how to generate those values. Those hashes are temporary and a token expires in 24h.

The commands below were executed with "kubeadm" on the cluster's control-panel.

Generate a new "token"

List existing tokens:

kubeadm token list

If the above does not display anything, you have to create a new token:

kubeadm token generate

Output example:


Copy that value and use it as follows:

kubeadm token create 7nx60l.fy8n4s8p6ruz8uiu

A token is generated, valid for 24h. We should see it in the list of tokens:

kubeadm token list

Generate a new "discovery-token-ca-cert-hash"

Run this command:

openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'

Output example:


You can use the generated "discovery-token-ca-cert-hash" and "token" to join an existing Kubernetes node.