1KUBERNETES(1)                      Jan 2015                      KUBERNETES(1)
2
3
4

NAME

6       kubeadm  join  -  Run  this on any machine you wish to join an existing
7       cluster
8
9
10

SYNOPSIS

12       kubeadm join [OPTIONS]
13
14
15

DESCRIPTION

17       When joining a kubeadm initialized cluster, we need to establish  bidi‐
18       rectional  trust.  This  is split into discovery (having the Node trust
19       the Kubernetes Master) and TLS bootstrap (having the Kubernetes  Master
20       trust the Node).
21
22
23       There  are  2  main schemes for discovery. The first is to use a shared
24       token along with the IP address of the API server.  The  second  is  to
25       provide  a  file  - a subset of the standard kubeconfig file. This file
26       can be a local file or downloaded via  an  HTTPS  URL.  The  forms  are
27       kubeadm  join  --discovery-token  abcdef.1234567890abcdef 1.2.3.4:6443,
28       kubeadm join --discovery-file path/to/file.conf, or kubeadm join --dis‐
29       covery-file  ⟨https://url/file.conf⟩. Only one form can be used. If the
30       discovery information is loaded from a URL, HTTPS must be used.   Also,
31       in that case the host installed CA bundle is used to verify the connec‐
32       tion.
33
34
35       If you use a shared token for  discovery,  you  should  also  pass  the
36       --discovery-token-ca-cert-hash  flag  to validate the public key of the
37       root certificate authority (CA) presented by the Kubernetes Master. The
38       value  of  this flag is specified as "<hash-type>:<hex-encoded-value>",
39       where the supported hash type is "sha256". The hash is calculated  over
40       the bytes of the Subject Public Key Info (SPKI) object (as in RFC7469).
41       This value is available in the output of "kubeadm init" or can be  cal‐
42       culated  using  standard tools. The --discovery-token-ca-cert-hash flag
43       may be repeated multiple times to allow more than one public key.
44
45
46       If you cannot know the CA public key hash ahead of time, you  can  pass
47       the  --discovery-token-unsafe-skip-ca-verification flag to disable this
48       verification. This weakens the kubeadm security model since other nodes
49       can potentially impersonate the Kubernetes Master.
50
51
52       The  TLS bootstrap mechanism is also driven via a shared token. This is
53       used to temporarily authenticate with the Kubernetes Master to submit a
54       certificate  signing  request  (CSR) for a locally created key pair. By
55       default, kubeadm will set up the  Kubernetes  Master  to  automatically
56       approve  these  signing  requests.  This  token  is  passed in with the
57       --tls-bootstrap-token abcdef.1234567890abcdef flag.
58
59
60       Often times the same token is used for both parts. In  this  case,  the
61       --token flag can be used instead of specifying each token individually.
62
63
64

OPTIONS

66       --apiserver-advertise-address=""
67           If  the  node  should  host  a  new  control plane instance, the IP
68       address the API Server will advertise it's listening on.
69
70
71       --apiserver-bind-port=6443
72           If the node should host a new control plane instance, the port  for
73       the API Server to bind to.
74
75
76       --config=""
77           Path to kubeadm config file.
78
79
80       --cri-socket="/var/run/dockershim.sock"
81           Specify the CRI socket to connect to.
82
83
84       --discovery-file=""
85           A file or url from which to load cluster information.
86
87
88       --discovery-token=""
89           A  token  used to validate cluster information fetched from the api
90       server.
91
92
93       --discovery-token-ca-cert-hash=[]
94           For token-based discovery, validate that the  root  CA  public  key
95       matches this hash (format: "<type>:<value>").
96
97
98       --discovery-token-unsafe-skip-ca-verification=false
99           For   token-based   discovery,   allow  joining  without  --discov‐
100       ery-token-ca-cert-hash pinning.
101
102
103       --experimental-control-plane=false
104           Create a new control plane instance on this node
105
106
107       --feature-gates=""
108           A set of key=value pairs that describe feature  gates  for  various
109       features.  Options  are:  Auditing=true|false  (ALPHA  - default=false)
110       CoreDNS=true|false (default=true) DynamicKubeletConfig=true|false (BETA
111       - default=false)
112
113
114       --ignore-preflight-errors=[]
115           A  list  of checks whose errors will be shown as warnings. Example:
116       'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
117
118
119       --node-name=""
120           Specify the node name.
121
122
123       --tls-bootstrap-token=""
124           A token used for TLS bootstrapping.
125
126
127       --token=""
128           Use this token for both discovery-token and tls-bootstrap-token.
129
130
131

OPTIONS INHERITED FROM PARENT COMMANDS

133       --azure-container-registry-config=""
134           Path to the file containing Azure container registry  configuration
135       information.
136
137
138       --google-json-key=""
139           The  Google  Cloud  Platform  Service  Account  JSON Key to use for
140       authentication.
141
142
143       --log-flush-frequency=5s
144           Maximum number of seconds between log flushes
145
146
147       --rootfs=""
148           [EXPERIMENTAL] The path to the 'real' host root filesystem.
149
150
151       --version=false
152           Print version information and quit
153
154
155

SEE ALSO

157       kubeadm(1),
158
159
160

HISTORY

162       January 2015, Originally compiled by Eric Paris (eparis at  redhat  dot
163       com)  based  on the kubernetes source material, but hopefully they have
164       been automatically generated since!
165
166
167
168Eric Paris                  kubernetes User Manuals              KUBERNETES(1)