1KUBERNETES(1)                      Jan 2015                      KUBERNETES(1)
2
3
4

NAME

6       kubeadm  join  -  Run  this on any machine you wish to join an existing
7       cluster
8
9
10

SYNOPSIS

12       kubeadm join [OPTIONS]
13
14
15

DESCRIPTION

17       When joining a kubeadm initialized cluster, we need to establish  bidi‐
18       rectional  trust.  This  is split into discovery (having the Node trust
19       the Kubernetes Master) and TLS bootstrap (having the Kubernetes  Master
20       trust the Node).
21
22
23       There  are  2  main schemes for discovery. The first is to use a shared
24       token along with the IP address of the API server.  The  second  is  to
25       provide  a  file  - a subset of the standard kubeconfig file. This file
26       can be a local file or downloaded via  an  HTTPS  URL.  The  forms  are
27       kubeadm  join  --discovery-token  abcdef.1234567890abcdef 1.2.3.4:6443,
28       kubeadm join --discovery-file path/to/file.conf, or kubeadm join --dis‐
29       covery-file  ⟨https://url/file.conf⟩. Only one form can be used. If the
30       discovery information is loaded from a URL, HTTPS must be used.   Also,
31       in that case the host installed CA bundle is used to verify the connec‐
32       tion.
33
34
35       If you use a shared token for  discovery,  you  should  also  pass  the
36       --discovery-token-ca-cert-hash  flag  to validate the public key of the
37       root certificate authority (CA) presented by the Kubernetes Master. The
38       value  of  this flag is specified as "<hash-type>:<hex-encoded-value>",
39       where the supported hash type is "sha256". The hash is calculated  over
40       the bytes of the Subject Public Key Info (SPKI) object (as in RFC7469).
41       This value is available in the output of "kubeadm init" or can be  cal‐
42       culated  using  standard tools. The --discovery-token-ca-cert-hash flag
43       may be repeated multiple times to allow more than one public key.
44
45
46       If you cannot know the CA public key hash ahead of time, you  can  pass
47       the  --discovery-token-unsafe-skip-ca-verification flag to disable this
48       verification. This weakens the kubeadm security model since other nodes
49       can potentially impersonate the Kubernetes Master.
50
51
52       The  TLS bootstrap mechanism is also driven via a shared token. This is
53       used to temporarily authenticate with the Kubernetes Master to submit a
54       certificate  signing  request  (CSR) for a locally created key pair. By
55       default, kubeadm will set up the  Kubernetes  Master  to  automatically
56       approve  these  signing  requests.  This  token  is  passed in with the
57       --tls-bootstrap-token abcdef.1234567890abcdef flag.
58
59
60       Often times the same token is used for both parts. In  this  case,  the
61       --token flag can be used instead of specifying each token individually.
62
63
64

OPTIONS

66       --apiserver-advertise-address=""
67           If  the  node  should  host  a  new  control plane instance, the IP
68       address the API Server will advertise it's listening on.
69
70
71       --apiserver-bind-port=6443
72           If the node should host a new control plane instance, the port  for
73       the API Server to bind to.
74
75
76       --config=""
77           Path to kubeadm config file.
78
79
80       --cri-socket="/var/run/dockershim.sock"
81           Specify the CRI socket to connect to.
82
83
84       --discovery-file=""
85           A file or URL from which to load cluster information.
86
87
88       --discovery-token=""
89           A  token  used to validate cluster information fetched from the API
90       server.
91
92
93       --discovery-token-ca-cert-hash=[]
94           For token-based discovery, validate that the  root  CA  public  key
95       matches this hash (format: "<type>:<value>").
96
97
98       --discovery-token-unsafe-skip-ca-verification=false
99           For   token-based   discovery,   allow  joining  without  --discov‐
100       ery-token-ca-cert-hash pinning.
101
102
103       --experimental-control-plane=false
104           Create a new control plane instance on this node
105
106
107       --ignore-preflight-errors=[]
108           A list of checks whose errors will be shown as  warnings.  Example:
109       'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
110
111
112       --node-name=""
113           Specify the node name.
114
115
116       --token=""
117           Use  this  token  for  both discovery-token and tls-bootstrap-token
118       when those values are not provided.
119
120
121

OPTIONS INHERITED FROM PARENT COMMANDS

123       --azure-container-registry-config=""
124           Path to the file containing Azure container registry  configuration
125       information.
126
127
128       --log-flush-frequency=5s
129           Maximum number of seconds between log flushes
130
131
132       --rootfs=""
133           [EXPERIMENTAL] The path to the 'real' host root filesystem.
134
135
136       --version=false
137           Print version information and quit
138
139
140

SEE ALSO

142       kubeadm(1),
143
144
145

HISTORY

147       January  2015,  Originally compiled by Eric Paris (eparis at redhat dot
148       com) based on the kubernetes source material, but hopefully  they  have
149       been automatically generated since!
150
151
152
153Eric Paris                  kubernetes User Manuals              KUBERNETES(1)