1KUBERNETES(1) Jan 2015 KUBERNETES(1)
2
6 kubeadm join - Run this on any machine you wish to join an existing
7 cluster
8
12 kubeadm join [OPTIONS]
13
17 When joining a kubeadm initialized cluster, we need to establish bidi‐
18 rectional trust. This is split into discovery (having the Node trust
19 the Kubernetes Control Plane) and TLS bootstrap (having the Kubernetes
20 Control Plane trust the Node).
21 There are 2 main schemes for discovery. The first is to use a shared
24 token along with the IP address of the API server. The second is to
25 provide a file - a subset of the standard kubeconfig file. This file
26 can be a local file or downloaded via an HTTPS URL. The forms are
27 kubeadm join --discovery-token abcdef.1234567890abcdef 1.2.3.4:6443,
28 kubeadm join --discovery-file path/to/file.conf, or kubeadm join --dis‐
29 covery-file ⟨https://url/file.conf⟩. Only one form can be used. If the
30 discovery information is loaded from a URL, HTTPS must be used. Also,
31 in that case the host installed CA bundle is used to verify the connec‐
32 tion.
33 If you use a shared token for discovery, you should also pass the
36 --discovery-token-ca-cert-hash flag to validate the public key of the
37 root certificate authority (CA) presented by the Kubernetes Control
38 Plane. The value of this flag is specified as "<hash-type>:<hex-
39 encoded-value>", where the supported hash type is "sha256". The hash is
40 calculated over the bytes of the Subject Public Key Info (SPKI) object
41 (as in RFC7469). This value is available in the output of "kubeadm
42 init" or can be calculated using standard tools. The --discov‐
43 ery-token-ca-cert-hash flag may be repeated multiple times to allow
44 more than one public key.
45 If you cannot know the CA public key hash ahead of time, you can pass
48 the --discovery-token-unsafe-skip-ca-verification flag to disable this
49 verification. This weakens the kubeadm security model since other nodes
50 can potentially impersonate the Kubernetes Control Plane.
51 The TLS bootstrap mechanism is also driven via a shared token. This is
54 used to temporarily authenticate with the Kubernetes Control Plane to
55 submit a certificate signing request (CSR) for a locally created key
56 pair. By default, kubeadm will set up the Kubernetes Control Plane to
57 automatically approve these signing requests. This token is passed in
58 with the --tls-bootstrap-token abcdef.1234567890abcdef flag.
59 Often times the same token is used for both parts. In this case, the
62 --token flag can be used instead of specifying each token individually.
63 The "join [api-server-endpoint]" command executes the following phases:
66 preflight Run join pre-flight checks
69 control-plane-prepare Prepare the machine for serving a control plane
70 /download-certs [EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret
71 /certs Generate the certificates for the new control plane components
72 /kubeconfig Generate the kubeconfig for the new control plane components
73 /control-plane Generate the manifests for the new control plane components
74 kubelet-start Write kubelet settings, certificates and (re)start the kubelet
75 control-plane-join Join a machine as a control plane instance
76 /etcd Add a new local etcd member
77 /update-status Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap
78 /mark-control-plane Mark a node as a control-plane
79
84 --apiserver-advertise-address=""
85 If the node should host a new control plane instance, the IP
86 address the API Server will advertise it's listening on. If not set the
87 default network interface will be used.
88 --apiserver-bind-port=6443
91 If the node should host a new control plane instance, the port for
92 the API Server to bind to.
93 --certificate-key=""
96 Use this key to decrypt the certificate secrets uploaded by init.
97 --config=""
100 Path to kubeadm config file.
101 --control-plane=false
104 Create a new control plane instance on this node
105 --cri-socket=""
108 Path to the CRI socket to connect. If empty kubeadm will try to
109 auto-detect this value; use this option only if you have more than one
110 CRI installed or if you have non-standard CRI socket.
111 --discovery-file=""
114 For file-based discovery, a file or URL from which to load cluster
115 information.
116 --discovery-token=""
119 For token-based discovery, the token used to validate cluster
120 information fetched from the API server.
121 --discovery-token-ca-cert-hash=[]
124 For token-based discovery, validate that the root CA public key
125 matches this hash (format: "<type>:<value>").
126 --discovery-token-unsafe-skip-ca-verification=false
129 For token-based discovery, allow joining without --discov‐
130 ery-token-ca-cert-hash pinning.
131 --experimental-control-plane=false
134 Create a new control plane instance on this node
135 --ignore-preflight-errors=[]
138 A list of checks whose errors will be shown as warnings. Example:
139 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
140 --node-name=""
143 Specify the node name.
144 --skip-phases=[]
147 List of phases to be skipped
148 --tls-bootstrap-token=""
151 Specify the token used to temporarily authenticate with the Kuber‐
152 netes Control Plane while joining the node.
153 --token=""
156 Use this token for both discovery-token and tls-bootstrap-token
157 when those values are not provided.
158
162 --azure-container-registry-config=""
163 Path to the file containing Azure container registry configuration
164 information.
165 --log-flush-frequency=5s
168 Maximum number of seconds between log flushes
169 --rootfs=""
172 [EXPERIMENTAL] The path to the 'real' host root filesystem.
173 --version=false
176 Print version information and quit
177
181 kubeadm(1), kubeadm-join-phase(1),
182
186 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
187 com) based on the kubernetes source material, but hopefully they have
188 been automatically generated since!
189Eric Paris kubernetes User Manuals KUBERNETES(1)