1KUBERNETES(1)                      Jan 2015                      KUBERNETES(1)
2
3
4

NAME

6       kubeadm  join  -  Run  this on any machine you wish to join an existing
7       cluster
8
9
10

SYNOPSIS

12       kubeadm join [OPTIONS]
13
14
15

DESCRIPTION

17       When joining a kubeadm initialized cluster, we need to establish  bidi‐
18       rectional  trust.  This  is split into discovery (having the Node trust
19       the Kubernetes Control Plane) and TLS bootstrap (having the  Kubernetes
20       Control Plane trust the Node).
21
22
23       There  are  2  main schemes for discovery. The first is to use a shared
24       token along with the IP address of the API server.  The  second  is  to
25       provide  a  file  - a subset of the standard kubeconfig file. This file
26       can be a local file or downloaded via  an  HTTPS  URL.  The  forms  are
27       kubeadm  join  --discovery-token  abcdef.1234567890abcdef 1.2.3.4:6443,
28       kubeadm join --discovery-file path/to/file.conf, or kubeadm join --dis‐
29       covery-file  ⟨https://url/file.conf⟩. Only one form can be used. If the
30       discovery information is loaded from a URL, HTTPS must be used.   Also,
31       in that case the host installed CA bundle is used to verify the connec‐
32       tion.
33
34
35       If you use a shared token for  discovery,  you  should  also  pass  the
36       --discovery-token-ca-cert-hash  flag  to validate the public key of the
37       root certificate authority (CA) presented  by  the  Kubernetes  Control
38       Plane.   The  value  of  this  flag  is specified as "<hash-type>:<hex-
39       encoded-value>", where the supported hash type is "sha256". The hash is
40       calculated  over the bytes of the Subject Public Key Info (SPKI) object
41       (as in RFC7469).  This value is available in  the  output  of  "kubeadm
42       init"  or  can  be  calculated  using  standard  tools.  The  --discov‐
43       ery-token-ca-cert-hash flag may be repeated  multiple  times  to  allow
44       more than one public key.
45
46
47       If  you  cannot know the CA public key hash ahead of time, you can pass
48       the --discovery-token-unsafe-skip-ca-verification flag to disable  this
49       verification. This weakens the kubeadm security model since other nodes
50       can potentially impersonate the Kubernetes Control Plane.
51
52
53       The TLS bootstrap mechanism is also driven via a shared token. This  is
54       used  to  temporarily authenticate with the Kubernetes Control Plane to
55       submit a certificate signing request (CSR) for a  locally  created  key
56       pair.  By  default, kubeadm will set up the Kubernetes Control Plane to
57       automatically approve these signing requests. This token is  passed  in
58       with the --tls-bootstrap-token abcdef.1234567890abcdef flag.
59
60
61       Often  times  the  same token is used for both parts. In this case, the
62       --token flag can be used instead of specifying each token individually.
63
64
65       The "join [api-server-endpoint]" command executes the following phases:
66
67
68              preflight              Run join pre-flight checks
69              control-plane-prepare  Prepare the machine for serving a control plane
70                /download-certs        [EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret
71                /certs                 Generate the certificates for the new control plane components
72                /kubeconfig            Generate the kubeconfig for the new control plane components
73                /control-plane         Generate the manifests for the new control plane components
74              kubelet-start          Write kubelet settings, certificates and (re)start the kubelet
75              control-plane-join     Join a machine as a control plane instance
76                /etcd                  Add a new local etcd member
77                /update-status         Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap
78                /mark-control-plane    Mark a node as a control-plane
79
80
81
82

OPTIONS

84       --apiserver-advertise-address=""
85           If the node should host  a  new  control  plane  instance,  the  IP
86       address the API Server will advertise it's listening on. If not set the
87       default network interface will be used.
88
89
90       --apiserver-bind-port=6443
91           If the node should host a new control plane instance, the port  for
92       the API Server to bind to.
93
94
95       --certificate-key=""
96           Use this key to decrypt the certificate secrets uploaded by init.
97
98
99       --config=""
100           Path to kubeadm config file.
101
102
103       --control-plane=false
104           Create a new control plane instance on this node
105
106
107       --cri-socket=""
108           Path  to  the  CRI  socket to connect. If empty kubeadm will try to
109       auto-detect this value; use this option only if you have more than  one
110       CRI installed or if you have non-standard CRI socket.
111
112
113       --discovery-file=""
114           For  file-based discovery, a file or URL from which to load cluster
115       information.
116
117
118       --discovery-token=""
119           For token-based discovery,  the  token  used  to  validate  cluster
120       information fetched from the API server.
121
122
123       --discovery-token-ca-cert-hash=[]
124           For  token-based  discovery,  validate  that the root CA public key
125       matches this hash (format: "<type>:<value>").
126
127
128       --discovery-token-unsafe-skip-ca-verification=false
129           For  token-based  discovery,  allow   joining   without   --discov‐
130       ery-token-ca-cert-hash pinning.
131
132
133       --experimental-control-plane=false
134           Create a new control plane instance on this node
135
136
137       --ignore-preflight-errors=[]
138           A  list  of checks whose errors will be shown as warnings. Example:
139       'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
140
141
142       --node-name=""
143           Specify the node name.
144
145
146       --skip-phases=[]
147           List of phases to be skipped
148
149
150       --tls-bootstrap-token=""
151           Specify the token used to temporarily authenticate with the  Kuber‐
152       netes Control Plane while joining the node.
153
154
155       --token=""
156           Use  this  token  for  both discovery-token and tls-bootstrap-token
157       when those values are not provided.
158
159
160

OPTIONS INHERITED FROM PARENT COMMANDS

162       --azure-container-registry-config=""
163           Path to the file containing Azure container registry  configuration
164       information.
165
166
167       --log-flush-frequency=5s
168           Maximum number of seconds between log flushes
169
170
171       --rootfs=""
172           [EXPERIMENTAL] The path to the 'real' host root filesystem.
173
174
175       --version=false
176           Print version information and quit
177
178
179

SEE ALSO

181       kubeadm(1), kubeadm-join-phase(1),
182
183
184

HISTORY

186       January  2015,  Originally compiled by Eric Paris (eparis at redhat dot
187       com) based on the kubernetes source material, but hopefully  they  have
188       been automatically generated since!
189
190
191
192Eric Paris                  kubernetes User Manuals              KUBERNETES(1)
Impressum