1KUBERNETES(1) Jan 2015 KUBERNETES(1)
2
6 kubeadm join - Run this on any machine you wish to join an existing
7 cluster
8
12 kubeadm join [OPTIONS]
13
17 When joining a kubeadm initialized cluster, we need to establish
18 bidirectional trust. This is split into discovery (having the Node
19 trust the Kubernetes Control Plane) and TLS bootstrap (having the
20 Kubernetes Control Plane trust the Node).
21 There are 2 main schemes for discovery. The first is to use a shared
24 token along with the IP address of the API server. The second is to
25 provide a file - a subset of the standard kubeconfig file. This file
26 can be a local file or downloaded via an HTTPS URL. The forms are
27 kubeadm join --discovery-token abcdef.1234567890abcdef 1.2.3.4:6443,
28 kubeadm join --discovery-file path/to/file.conf, or kubeadm join
29 --discovery-file ⟨https://url/file.conf⟩. Only one form can be used. If
30 the discovery information is loaded from a URL, HTTPS must be used.
31 Also, in that case the host installed CA bundle is used to verify the
32 connection.
33 If you use a shared token for discovery, you should also pass the
36 --discovery-token-ca-cert-hash flag to validate the public key of the
37 root certificate authority (CA) presented by the Kubernetes Control
38 Plane. The value of this flag is specified as "<hash-type>:<hex-
39 encoded-value>", where the supported hash type is "sha256". The hash is
40 calculated over the bytes of the Subject Public Key Info (SPKI) object
41 (as in RFC7469). This value is available in the output of "kubeadm
42 init" or can be calculated using standard tools. The
43 --discovery-token-ca-cert-hash flag may be repeated multiple times to
44 allow more than one public key.
45 If you cannot know the CA public key hash ahead of time, you can pass
48 the --discovery-token-unsafe-skip-ca-verification flag to disable this
49 verification. This weakens the kubeadm security model since other nodes
50 can potentially impersonate the Kubernetes Control Plane.
51 The TLS bootstrap mechanism is also driven via a shared token. This is
54 used to temporarily authenticate with the Kubernetes Control Plane to
55 submit a certificate signing request (CSR) for a locally created key
56 pair. By default, kubeadm will set up the Kubernetes Control Plane to
57 automatically approve these signing requests. This token is passed in
58 with the --tls-bootstrap-token abcdef.1234567890abcdef flag.
59 Often times the same token is used for both parts. In this case, the
62 --token flag can be used instead of specifying each token individually.
63 The "join [api-server-endpoint]" command executes the following phases:
66 preflight Run join pre-flight checks
69 control-plane-prepare Prepare the machine for serving a control plane
70 /download-certs [EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret
71 /certs Generate the certificates for the new control plane components
72 /kubeconfig Generate the kubeconfig for the new control plane components
73 /control-plane Generate the manifests for the new control plane components
74 kubelet-start Write kubelet settings, certificates and (re)start the kubelet
75 control-plane-join Join a machine as a control plane instance
76 /etcd Add a new local etcd member
77 /update-status Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap
78 /mark-control-plane Mark a node as a control-plane
79
84 --apiserver-advertise-address=""
85 If the node should host a new control plane instance, the IP
86 address the API Server will advertise it's listening on. If not set the
87 default network interface will be used.
88 --apiserver-bind-port=6443
91 If the node should host a new control plane instance, the port for
92 the API Server to bind to.
93 --certificate-key=""
96 Use this key to decrypt the certificate secrets uploaded by init.
97 --config=""
100 Path to kubeadm config file.
101 --control-plane=false
104 Create a new control plane instance on this node
105 --cri-socket=""
108 Path to the CRI socket to connect. If empty kubeadm will try to
109 auto-detect this value; use this option only if you have more than one
110 CRI installed or if you have non-standard CRI socket.
111 --discovery-file=""
114 For file-based discovery, a file or URL from which to load cluster
115 information.
116 --discovery-token=""
119 For token-based discovery, the token used to validate cluster
120 information fetched from the API server.
121 --discovery-token-ca-cert-hash=[]
124 For token-based discovery, validate that the root CA public key
125 matches this hash (format: "<type>:<value>").
126 --discovery-token-unsafe-skip-ca-verification=false
129 For token-based discovery, allow joining without
130 --discovery-token-ca-cert-hash pinning.
131 -k, --experimental-kustomize=""
134 The path where kustomize patches for static pod manifests are
135 stored.
136 --ignore-preflight-errors=[]
139 A list of checks whose errors will be shown as warnings. Example:
140 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
141 --node-name=""
144 Specify the node name.
145 --skip-phases=[]
148 List of phases to be skipped
149 --tls-bootstrap-token=""
152 Specify the token used to temporarily authenticate with the
153 Kubernetes Control Plane while joining the node.
154 --token=""
157 Use this token for both discovery-token and tls-bootstrap-token
158 when those values are not provided.
159
163 --azure-container-registry-config=""
164 Path to the file containing Azure container registry configuration
165 information.
166 --log-flush-frequency=5s
169 Maximum number of seconds between log flushes
170 --rootfs=""
173 [EXPERIMENTAL] The path to the 'real' host root filesystem.
174 --version=false
177 Print version information and quit
178
182 kubeadm(1), kubeadm-join-phase(1),
183
187 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
188 com) based on the kubernetes source material, but hopefully they have
189 been automatically generated since!
190Eric Paris kubernetes User Manuals KUBERNETES(1)