How to fix token is invalid in Kubernetes

What this error means

Kubeadm uses short-lived tokens (default 24 hours) to allow new nodes to securely join the cluster. If the token has expired, is malformed, or was already used, kubeadm join will fail. This is a security mechanism to prevent unauthorized nodes from joining.

Typical symptoms

• kubeadm join fails with "token is invalid"
• Cannot add new nodes to cluster
• Error mentions token validation failure
• Token was created more than 24 hours ago
• Token contains invalid characters or format
• Node appears in cluster but not healthy

Common causes

1. Token has expired (default TTL 24 hours)
2. Token was already used and consumed
3. Token format is invalid (not 6.16 format)
4. Token was generated with wrong cluster hash
5. Typo in the join command
6. Token revoked manually

How to fix "token is invalid"

kubectl -n kube-system get secrets | grep bootstrap-token
kubectl -n kube-system describe secret bootstrap-token-XXXXX

kubeadm token list

kubeadm token create

# Or create a long-lived token
kubeadm token create --ttl 24h

openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'

Advanced notes

Related errors

• No subnets found for EKS cluster

  How to fix "eks subnet not found" in Kubernetes

  MEDIUM

• unable to compute replica count

  How to fix "unable to compute replica count" in Kubernetes HPA

  MEDIUM

• error: context not found

  How to fix "error: context not found" in Kubernetes

  MEDIUM

Official resources & further reading

• 📚Kubernetes Official Documentation
• 📖
  Kubernetes: kubeadm token(Official Docs)
• 📖
  Kubernetes: Join nodes to cluster(Official Docs)