## kubeadm token create

```bash
# Bootstrap Token采用的形式 abcdef.0123456789abcdef。它们必须匹配正则表达式 [a-z0-9]{6}\.[a-z0-9]{16}。
kubeadm token create --description kubelet-bootstrap-token --groups system:bootstrappers:${node_name} --kubeconfig ~/.kube/config
kubeadm token list --kubeconfig ~/.kube/config
```

## kubectl apply -f

```yaml
apiVersion: v1
kind: Secret
metadata:
  # Name MUST be of form "bootstrap-token-<token id>"
  name: bootstrap-token-07401b
  namespace: kube-system
# Type MUST be 'bootstrap.kubernetes.io/token'
type: bootstrap.kubernetes.io/token
stringData:
  # Human readable description. Optional.
  description: "The default bootstrap token generated by 'kubeadm init'."
  # Token ID and secret. Required.
  token-id: 07401b
  token-secret: f395accd246ae52d
  # Expiration. Optional.
  expiration: 2017-03-10T03:22:11Z
  # Allowed usages.
  usage-bootstrap-authentication: "true"
  usage-bootstrap-signing: "true"
  # Extra groups to authenticate the token as. Must start with "system:bootstrappers:"
  auth-extra-groups: system:bootstrappers:worker,system:bootstrappers:ingress
```

## kubectl create secret

```bash
# const Token = "abcdef.0123456789abcdef"
head -c 16 /dev/urandom | od -An -t x | tr -d ' '
```

```bash
TOKEN_ID=$(openssl rand -hex 3)
TOKEN_SECRET=$(openssl rand -hex 8)
BOOTSTRAP_TOKEN="${TOKEN_ID}.${TOKEN_SECRET}"
kubectl -n kube-system create secret generic bootstrap-token-${TOKEN_ID} \
--type 'bootstrap.kubernetes.io/token' \
--from-literal description="kubelet-bootstrap-token" \
--from-literal token-id=${TOKEN_ID} \
--from-literal token-secret=${TOKEN_SECRET} \
--from-literal usage-bootstrap-authentication=true \
--from-literal usage-bootstrap-signing=true \
--from-literal auth-extra-groups="system:bootstrappers:worker,system:bootstrappers:ingress,system:bootstrappers:${NODE_NAME}"
# 查看
kubectl get secrets/bootstrap-token-${TOKEN_ID} -n kube-system -o yaml
# 生成bootstrap.conf
kubectl --kubeconfig=bootstrap.conf config set-cluster kubernetes --certificate-authority=kubernetes-ca.pem --embed-certs=true --server=https://192.168.33.100:8443
kubectl --kubeconfig=bootstrap.conf config set-credentials kubelet-bootstrap --token=$BOOTSTRAP_TOKEN
kubectl --kubeconfig=bootstrap.conf config set-context default --cluster=kubernetes --user=kubelet-bootstrap
kubectl --kubeconfig=bootstrap.conf config use-context default
```

```bash
###############################
kubectl create clusterrolebinding kubeadm:kubelet-bootstrap --clusterrole system:node-bootstrapper --group system:bootstrappers
###############################
kubectl -n kube-system get sa kube-proxy ||  kubectl -n kube-system create serviceaccount kube-proxy 
kubectl get clusterrolebinding kubeadm:kube-proxy || kubectl create clusterrolebinding kubeadm:kube-proxy --clusterrole system:node-proxier --serviceaccount kube-system:kube-proxy
###############################
```

## 参考

* [Kubernetes TLS bootstrapping 那点事](https://mritd.me/2018/01/07/kubernetes-tls-bootstrapping-note/)
* [TLS bootstrapping](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/)
* [TLS BOOTSTRAPPING WITH BOOTSTRAP-TOKEN](https://ansilh.com/17-tls_bootstrapping/01-bootstapping-with-file/)
* [创建 Kubernetes 集群：配置 bootstrap](https://kuops.com/2018/07/19/deploy-kubernets-ha-07/)
* [Kubernetes - kubelet bootstrap 流程](https://lingxiankong.github.io/2018-09-18-kubelet-bootstrap-process.html)
* <https://blog.sctux.com/2018/12/30/kubernetes-bootstrapping>