Cluster registration tokens are used to authenticate and register clusters with Rancher. Each token provides the necessary credentials for a cluster agent to establish a secure connection.
Overview
When you import a cluster, Rancher automatically creates a ClusterRegistrationToken resource. This token:
- Contains unique authentication credentials
- Provides access to the agent deployment manifest
- Is scoped to a specific cluster
- Generates platform-specific installation commands
Token Structure
The ClusterRegistrationToken type is defined in /home/daytona/workspace/source/pkg/apis/management.cattle.io/v3/cluster_types.go:283:
type ClusterRegistrationToken struct {
metav1.TypeMeta
metav1.ObjectMeta
Spec ClusterRegistrationTokenSpec
Status ClusterRegistrationTokenStatus
}
type ClusterRegistrationTokenSpec struct {
ClusterName string // Reference to the cluster
}
type ClusterRegistrationTokenStatus struct {
InsecureCommand string // Command for insecure/self-signed certs
Command string // Standard secure command
WindowsNodeCommand string // Command for Windows nodes
InsecureWindowsNodeCommand string // Insecure Windows command
NodeCommand string // Generic node command
InsecureNodeCommand string // Insecure node command
ManifestURL string // URL to download agent manifest
Token string // Authentication token value
}
Token Generation
Tokens are automatically created when:
- You create an imported cluster through the Rancher UI
- You create a cluster via the Rancher API
- You explicitly create a
ClusterRegistrationToken resource
Rancher generates:
- A unique token value for authentication
- Platform-specific installation commands
- A manifest URL for downloading the agent configuration
Installation Commands
Linux/Unix Clusters
Secure command (recommended):
curl --insecure -sfL https://{RANCHER_URL}/v3/import/{TOKEN}.yaml | kubectl apply -f -
Insecure command (for development/self-signed certificates):
curl -sfL https://{RANCHER_URL}/v3/import/{TOKEN}.yaml | kubectl apply -f -
The commands are available in:
Status.Command - Secure command
Status.InsecureCommand - Insecure command
Windows Nodes
For clusters with Windows nodes, use the Windows-specific commands:
Status.WindowsNodeCommand - Secure Windows installation
Status.InsecureWindowsNodeCommand - Insecure Windows installation
These commands use PowerShell to download and apply the Windows agent manifest.
Generic Node Commands
Node-level commands for adding individual nodes:
Status.NodeCommand - Standard node registration
Status.InsecureNodeCommand - Insecure node registration
Manifest URL
The ManifestURL provides direct access to the agent deployment YAML:
https://{RANCHER_URL}/v3/import/{TOKEN}.yaml
The manifest includes:
- ServiceAccount and RBAC resources
- Deployment for
cattle-cluster-agent
- ConfigMaps with cluster configuration
- Secrets with authentication credentials
The manifest is served by the cluster registration token handler at /home/daytona/workspace/source/pkg/api/norman/customization/clusterregistrationtokens/import.go:23.
Token Security
Cluster registration tokens provide cluster-admin level access. Treat them as sensitive credentials.
Best Practices
- Rotate tokens regularly: Delete old tokens after cluster import
- Limit token exposure: Don’t commit tokens to version control
- Use secure commands: Prefer secure commands with valid certificates
- Monitor token usage: Track which tokens are actively used
- Revoke unused tokens: Delete tokens for clusters that no longer exist
Token Scope
Each token:
- Is scoped to a single cluster (via
Spec.ClusterName)
- Cannot be used to register a different cluster
- Remains valid indefinitely unless explicitly deleted
- Provides full access to manage the cluster through Rancher
Managing Tokens
Listing Tokens
View tokens for a cluster:
kubectl get clusterregistrationtokens -n {CLUSTER_NAME}
Creating Additional Tokens
Create a new token for an existing cluster:
apiVersion: management.cattle.io/v3
kind: ClusterRegistrationToken
metadata:
name: {TOKEN_NAME}
namespace: {CLUSTER_NAME}
spec:
clusterName: {CLUSTER_NAME}
Apply with:
kubectl apply -f token.yaml
Rancher automatically populates the Status fields with generated commands and the token value.
Deleting Tokens
Remove a token:
kubectl delete clusterregistrationtoken {TOKEN_NAME} -n {CLUSTER_NAME}
Deleting all tokens for a cluster will break the agent connection. Ensure at least one valid token exists.
Viewing Token Details
Inspect a token’s generated values:
kubectl get clusterregistrationtoken {TOKEN_NAME} -n {CLUSTER_NAME} -o yaml
The output includes all generated commands and the manifest URL.
Token Lifecycle
User creates an imported cluster
Rancher creates a default ClusterRegistrationToken
Token status is populated with commands and credentials
User retrieves the token’s installation command
Command is executed against the target cluster
Cluster agent downloads manifest using the token
Agent authenticates to Rancher using token credentials
Create a new ClusterRegistrationToken for the cluster
Update the agent deployment with the new token
Delete the old token after verifying the new connection
Identify unused or compromised tokens
Delete the token resource
Verify the cluster agent continues functioning (if other tokens exist)
Agent Registration Flow
When applying the registration command:
- Manifest Download: kubectl retrieves the YAML from the manifest URL
- Resource Creation: Kubernetes creates the agent resources
- Agent Startup: The cattle-cluster-agent pod starts
- Authentication: Agent uses the token to authenticate with Rancher
- Connection: Agent establishes a websocket connection
- Synchronization: Rancher syncs cluster state and marks it as Active
The import handler is implemented in /home/daytona/workspace/source/pkg/api/norman/customization/clusterregistrationtokens/import.go.
Server URL Configuration
The token commands use the Rancher server URL from:
settings.ServerURL.Get() - User-configured server URL
- HTTP request Host header (fallback)
Ensure the server URL is:
- Accessible from target clusters
- Configured with the correct protocol (http/https)
- Resolvable via DNS from cluster networks
Troubleshooting
Token Commands Not Working
- Verify server URL: Ensure clusters can reach the configured Rancher URL
- Check certificate validity: Use insecure commands for self-signed certificates
- Inspect token status: Ensure the token has been fully populated
Manifest Download Fails
- Network connectivity: Verify cluster can reach Rancher server
- Token expiration: Check if the token still exists
- URL accessibility: Test the manifest URL manually with curl
Agent Fails to Connect
- Token authentication: Verify the token value is correct
- Server URL mismatch: Ensure agent is connecting to the correct Rancher instance
- Network policies: Check for firewall rules blocking websocket connections