1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7
9 kubeadm join - Run this on any machine you wish to join an existing
10 cluster
11
12
13
15 kubeadm join [OPTIONS]
16
17
18
20 When joining a kubeadm initialized cluster, we need to establish bidi‐
21 rectional trust. This is split into discovery (having the Node trust
22 the Kubernetes Control Plane) and TLS bootstrap (having the Kubernetes
23 Control Plane trust the Node).
24
25
26 There are 2 main schemes for discovery. The first is to use a shared
27 token along with the IP address of the API server. The second is to
28 provide a file - a subset of the standard kubeconfig file. This file
29 can be a local file or downloaded via an HTTPS URL. The forms are
30 kubeadm join --discovery-token abcdef.1234567890abcdef 1.2.3.4:6443,
31 kubeadm join --discovery-file path/to/file.conf, or kubeadm join --dis‐
32 covery-file https://url/file.conf. Only one form can be used. If the
33 discovery information is loaded from a URL, HTTPS must be used. Also,
34 in that case the host installed CA bundle is used to verify the connec‐
35 tion.
36
37
38 If you use a shared token for discovery, you should also pass the
39 --discovery-token-ca-cert-hash flag to validate the public key of the
40 root certificate authority (CA) presented by the Kubernetes Control
41 Plane. The value of this flag is specified as ":", where the supported
42 hash type is "sha256". The hash is calculated over the bytes of the
43 Subject Public Key Info (SPKI) object (as in RFC7469). This value is
44 available in the output of "kubeadm init" or can be calculated using
45 standard tools. The --discovery-token-ca-cert-hash flag may be repeated
46 multiple times to allow more than one public key.
47
48
49 If you cannot know the CA public key hash ahead of time, you can pass
50 the --discovery-token-unsafe-skip-ca-verification flag to disable this
51 verification. This weakens the kubeadm security model since other nodes
52 can potentially impersonate the Kubernetes Control Plane.
53
54
55 The TLS bootstrap mechanism is also driven via a shared token. This is
56 used to temporarily authenticate with the Kubernetes Control Plane to
57 submit a certificate signing request (CSR) for a locally created key
58 pair. By default, kubeadm will set up the Kubernetes Control Plane to
59 automatically approve these signing requests. This token is passed in
60 with the --tls-bootstrap-token abcdef.1234567890abcdef flag.
61
62
63 Often times the same token is used for both parts. In this case, the
64 --token flag can be used instead of specifying each token individually.
65
66
67 The "join [api-server-endpoint]" command executes the following phases:
68
69
70 preflight Run join pre-flight checks
71 control-plane-prepare Prepare the machine for serving a control plane
72 /download-certs [EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret
73 /certs Generate the certificates for the new control plane components
74 /kubeconfig Generate the kubeconfig for the new control plane components
75 /control-plane Generate the manifests for the new control plane components
76 kubelet-start Write kubelet settings, certificates and (re)start the kubelet
77 control-plane-join Join a machine as a control plane instance
78 /etcd Add a new local etcd member
79 /update-status Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap
80 /mark-control-plane Mark a node as a control-plane
81
82
83
84
86 --apiserver-advertise-address="" If the node should host a new
87 control plane instance, the IP address the API Server will advertise
88 it's listening on. If not set the default network interface will be
89 used.
90
91
92 --apiserver-bind-port=6443 If the node should host a new control
93 plane instance, the port for the API Server to bind to.
94
95
96 --certificate-key="" Use this key to decrypt the certificate se‐
97 crets uploaded by init.
98
99
100 --config="" Path to kubeadm config file.
101
102
103 --control-plane=false Create a new control plane instance on this
104 node
105
106
107 --cri-socket="" Path to the CRI socket to connect. If empty
108 kubeadm will try to auto-detect this value; use this option only if you
109 have more than one CRI installed or if you have non-standard CRI
110 socket.
111
112
113 --discovery-file="" For file-based discovery, a file or URL from
114 which to load cluster information.
115
116
117 --discovery-token="" For token-based discovery, the token used to
118 validate cluster information fetched from the API server.
119
120
121 --discovery-token-ca-cert-hash=[] For token-based discovery, vali‐
122 date that the root CA public key matches this hash (format: ":").
123
124
125 --discovery-token-unsafe-skip-ca-verification=false For to‐
126 ken-based discovery, allow joining without --discovery-to‐
127 ken-ca-cert-hash pinning.
128
129
130 --experimental-patches="" Path to a directory that contains files
131 named "target[suffix][+patchtype].extension". For example, "kube-apis‐
132 erver0+merge.yaml" or just "etcd.json". "patchtype" can be one of
133 "strategic", "merge" or "json" and they match the patch formats sup‐
134 ported by kubectl. The default "patchtype" is "strategic". "extension"
135 must be either "json" or "yaml". "suffix" is an optional string that
136 can be used to determine which patches are applied first alpha-numeri‐
137 cally.
138
139
140 --ignore-preflight-errors=[] A list of checks whose errors will be
141 shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ig‐
142 nores errors from all checks.
143
144
145 --node-name="" Specify the node name.
146
147
148 --skip-phases=[] List of phases to be skipped
149
150
151 --tls-bootstrap-token="" Specify the token used to temporarily au‐
152 thenticate with the Kubernetes Control Plane while joining the node.
153
154
155 --token="" Use this token for both discovery-token and tls-boot‐
156 strap-token when those values are not provided.
157
158
159
161 --azure-container-registry-config="" Path to the file containing
162 Azure container registry configuration information.
163
164
165 --log-flush-frequency=5s Maximum number of seconds between log
166 flushes
167
168
169 --rootfs="" [EXPERIMENTAL] The path to the 'real' host root
170 filesystem.
171
172
173 --version=false Print version information and quit
174
175
176
178 kubeadm(1), kubeadm-join-phase(1),
179
180
181
183 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
184 com) based on the kubernetes source material, but hopefully they have
185 been automatically generated since!
186
187
188
189Manuals User KUBERNETES(1)(kubernetes)