Bootstrap tokens are a bearer token meant to be used when creating new Kubernetes clusters or joining new nodes to an existing cluster. These are tokens that are stored as secrets in the Kubernetes cluster, and then issued to the individual kubelet.
Stuff you wanna know:
- You can use a single token for an entire cluster, or issue one per worker node.
- Bootstrap tokens were built to support kubeadm, but can be used in other contexts.
- These tokens work via RBAC policy with the Kubelet TLS Bootstrapping system.
- Bootstrap Tokens are defined with a specific type (
bootstrap.kubernetes.io/token) of secrets that lives in thekube-systemnamespace. These Secrets are then read by the Bootstrap Authenticator in the API Server. - Bootstrap Tokens take the form of
abcdef.0123456789abcdef. - The first part of the token is the “Token ID” and is considered public information. It is used when referring to a token without leaking the secret part used for authentication.
- The second part is the “Token Secret” and should only be shared with trusted parties.
- When enabled, bootstrapping tokens can be used as bearer token credentials to authenticate requests against the API server.
- Each valid token is backed by a secret in the
kube-systemnamespace. - You can use the
kubeadmtool to manage tokens on a running cluster. - In addition to authentication, the tokens can be used to sign a ConfigMap.
More stuff:
- Authenticating with Bootstrap tokens — https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/
- TLS bootstrapping — https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#bootstrap-tokens
