1KUBERNETES(1) Jan 2015 KUBERNETES(1)
2
3
4
6 kubeadm join - Run this on any machine you wish to join an existing
7 cluster
8
9
10
12 kubeadm join [OPTIONS]
13
14
15
17 When joining a kubeadm initialized cluster, we need to establish bidi‐
18 rectional trust. This is split into discovery (having the Node trust
19 the Kubernetes Master) and TLS bootstrap (having the Kubernetes Master
20 trust the Node).
21
22
23 There are 2 main schemes for discovery. The first is to use a shared
24 token along with the IP address of the API server. The second is to
25 provide a file - a subset of the standard kubeconfig file. This file
26 can be a local file or downloaded via an HTTPS URL. The forms are
27 kubeadm join --discovery-token abcdef.1234567890abcdef 1.2.3.4:6443,
28 kubeadm join --discovery-file path/to/file.conf, or kubeadm join --dis‐
29 covery-file ⟨https://url/file.conf⟩. Only one form can be used. If the
30 discovery information is loaded from a URL, HTTPS must be used. Also,
31 in that case the host installed CA bundle is used to verify the connec‐
32 tion.
33
34
35 If you use a shared token for discovery, you should also pass the
36 --discovery-token-ca-cert-hash flag to validate the public key of the
37 root certificate authority (CA) presented by the Kubernetes Master. The
38 value of this flag is specified as "<hash-type>:<hex-encoded-value>",
39 where the supported hash type is "sha256". The hash is calculated over
40 the bytes of the Subject Public Key Info (SPKI) object (as in RFC7469).
41 This value is available in the output of "kubeadm init" or can be cal‐
42 culated using standard tools. The --discovery-token-ca-cert-hash flag
43 may be repeated multiple times to allow more than one public key.
44
45
46 If you cannot know the CA public key hash ahead of time, you can pass
47 the --discovery-token-unsafe-skip-ca-verification flag to disable this
48 verification. This weakens the kubeadm security model since other nodes
49 can potentially impersonate the Kubernetes Master.
50
51
52 The TLS bootstrap mechanism is also driven via a shared token. This is
53 used to temporarily authenticate with the Kubernetes Master to submit a
54 certificate signing request (CSR) for a locally created key pair. By
55 default, kubeadm will set up the Kubernetes Master to automatically
56 approve these signing requests. This token is passed in with the
57 --tls-bootstrap-token abcdef.1234567890abcdef flag.
58
59
60 Often times the same token is used for both parts. In this case, the
61 --token flag can be used instead of specifying each token individually.
62
63
64
66 --apiserver-advertise-address=""
67 If the node should host a new control plane instance, the IP
68 address the API Server will advertise it's listening on.
69
70
71 --apiserver-bind-port=6443
72 If the node should host a new control plane instance, the port for
73 the API Server to bind to.
74
75
76 --config=""
77 Path to kubeadm config file.
78
79
80 --cri-socket="/var/run/dockershim.sock"
81 Specify the CRI socket to connect to.
82
83
84 --discovery-file=""
85 A file or url from which to load cluster information.
86
87
88 --discovery-token=""
89 A token used to validate cluster information fetched from the api
90 server.
91
92
93 --discovery-token-ca-cert-hash=[]
94 For token-based discovery, validate that the root CA public key
95 matches this hash (format: "<type>:<value>").
96
97
98 --discovery-token-unsafe-skip-ca-verification=false
99 For token-based discovery, allow joining without --discov‐
100 ery-token-ca-cert-hash pinning.
101
102
103 --experimental-control-plane=false
104 Create a new control plane instance on this node
105
106
107 --feature-gates=""
108 A set of key=value pairs that describe feature gates for various
109 features. Options are: Auditing=true|false (ALPHA - default=false)
110 CoreDNS=true|false (default=true) DynamicKubeletConfig=true|false (BETA
111 - default=false)
112
113
114 --ignore-preflight-errors=[]
115 A list of checks whose errors will be shown as warnings. Example:
116 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
117
118
119 --node-name=""
120 Specify the node name.
121
122
123 --tls-bootstrap-token=""
124 A token used for TLS bootstrapping.
125
126
127 --token=""
128 Use this token for both discovery-token and tls-bootstrap-token.
129
130
131
133 --azure-container-registry-config=""
134 Path to the file containing Azure container registry configuration
135 information.
136
137
138 --google-json-key=""
139 The Google Cloud Platform Service Account JSON Key to use for
140 authentication.
141
142
143 --log-flush-frequency=5s
144 Maximum number of seconds between log flushes
145
146
147 --rootfs=""
148 [EXPERIMENTAL] The path to the 'real' host root filesystem.
149
150
151 --version=false
152 Print version information and quit
153
154
155
157 kubeadm(1),
158
159
160
162 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
163 com) based on the kubernetes source material, but hopefully they have
164 been automatically generated since!
165
166
167
168Eric Paris kubernetes User Manuals KUBERNETES(1)