1KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7

NAME

9       kubeadm  join  -  Run  this on any machine you wish to join an existing
10       cluster
11
12
13

SYNOPSIS

15       kubeadm join [OPTIONS]
16
17
18

DESCRIPTION

20       When joining a kubeadm initialized cluster, we need to establish  bidi‐
21       rectional  trust.  This  is split into discovery (having the Node trust
22       the Kubernetes Control Plane) and TLS bootstrap (having the  Kubernetes
23       Control Plane trust the Node).
24
25
26       There  are  2  main schemes for discovery. The first is to use a shared
27       token along with the IP address of the API server.  The  second  is  to
28       provide  a  file  - a subset of the standard kubeconfig file. This file
29       can be a local file or downloaded via  an  HTTPS  URL.  The  forms  are
30       kubeadm  join  --discovery-token  abcdef.1234567890abcdef 1.2.3.4:6443,
31       kubeadm join --discovery-file path/to/file.conf, or kubeadm join --dis‐
32       covery-file  https://url/file.conf.  Only  one form can be used. If the
33       discovery information is loaded from a URL, HTTPS must be used.   Also,
34       in that case the host installed CA bundle is used to verify the connec‐
35       tion.
36
37
38       If you use a shared token for  discovery,  you  should  also  pass  the
39       --discovery-token-ca-cert-hash  flag  to validate the public key of the
40       root certificate authority (CA) presented  by  the  Kubernetes  Control
41       Plane.  The value of this flag is specified as ":", where the supported
42       hash type is "sha256". The hash is calculated over  the  bytes  of  the
43       Subject  Public  Key Info (SPKI) object (as in RFC7469).  This value is
44       available in the output of "kubeadm init" or can  be  calculated  using
45       standard tools. The --discovery-token-ca-cert-hash flag may be repeated
46       multiple times to allow more than one public key.
47
48
49       If you cannot know the CA public key hash ahead of time, you  can  pass
50       the  --discovery-token-unsafe-skip-ca-verification flag to disable this
51       verification. This weakens the kubeadm security model since other nodes
52       can potentially impersonate the Kubernetes Control Plane.
53
54
55       The  TLS bootstrap mechanism is also driven via a shared token. This is
56       used to temporarily authenticate with the Kubernetes Control  Plane  to
57       submit  a  certificate  signing request (CSR) for a locally created key
58       pair. By default, kubeadm will set up the Kubernetes Control  Plane  to
59       automatically  approve  these signing requests. This token is passed in
60       with the --tls-bootstrap-token abcdef.1234567890abcdef flag.
61
62
63       Often times the same token is used for both parts. In  this  case,  the
64       --token flag can be used instead of specifying each token individually.
65
66
67       The "join [api-server-endpoint]" command executes the following phases:
68
69
70              preflight              Run join pre-flight checks
71              control-plane-prepare  Prepare the machine for serving a control plane
72                /download-certs        [EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret
73                /certs                 Generate the certificates for the new control plane components
74                /kubeconfig            Generate the kubeconfig for the new control plane components
75                /control-plane         Generate the manifests for the new control plane components
76              kubelet-start          Write kubelet settings, certificates and (re)start the kubelet
77              control-plane-join     Join a machine as a control plane instance
78                /etcd                  Add a new local etcd member
79                /update-status         Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap
80                /mark-control-plane    Mark a node as a control-plane
81
82
83
84

OPTIONS

86       --apiserver-advertise-address=""       If  the  node  should host a new
87       control plane instance, the IP address the API  Server  will  advertise
88       it's  listening  on.  If  not set the default network interface will be
89       used.
90
91
92       --apiserver-bind-port=6443      If the node should host a  new  control
93       plane instance, the port for the API Server to bind to.
94
95
96       --certificate-key=""       Use  this key to decrypt the certificate se‐
97       crets uploaded by init.
98
99
100       --config=""      Path to kubeadm config file.
101
102
103       --control-plane=false      Create a new control plane instance on  this
104       node
105
106
107       --cri-socket=""       Path  to  the  CRI  socket  to  connect. If empty
108       kubeadm will try to auto-detect this value; use this option only if you
109       have  more  than  one  CRI  installed  or  if you have non-standard CRI
110       socket.
111
112
113       --discovery-file=""      For file-based discovery, a file or  URL  from
114       which to load cluster information.
115
116
117       --discovery-token=""       For token-based discovery, the token used to
118       validate cluster information fetched from the API server.
119
120
121       --discovery-token-ca-cert-hash=[]      For token-based discovery, vali‐
122       date that the root CA public key matches this hash (format: ":").
123
124
125       --discovery-token-unsafe-skip-ca-verification=false          For    to‐
126       ken-based   discovery,   allow    joining    without    --discovery-to‐
127       ken-ca-cert-hash pinning.
128
129
130       --experimental-patches=""       Path to a directory that contains files
131       named "target[suffix][+patchtype].extension". For example,  "kube-apis‐
132       erver0+merge.yaml"  or  just  "etcd.json".  "patchtype"  can  be one of
133       "strategic", "merge" or "json" and they match the  patch  formats  sup‐
134       ported  by kubectl. The default "patchtype" is "strategic". "extension"
135       must be either "json" or "yaml". "suffix" is an  optional  string  that
136       can  be used to determine which patches are applied first alpha-numeri‐
137       cally.
138
139
140       --ignore-preflight-errors=[]      A list of checks whose errors will be
141       shown  as  warnings.  Example: 'IsPrivilegedUser,Swap'. Value 'all' ig‐
142       nores errors from all checks.
143
144
145       --node-name=""      Specify the node name.
146
147
148       --skip-phases=[]      List of phases to be skipped
149
150
151       --tls-bootstrap-token=""      Specify the token used to temporarily au‐
152       thenticate with the Kubernetes Control Plane while joining the node.
153
154
155       --token=""       Use  this token for both discovery-token and tls-boot‐
156       strap-token when those values are not provided.
157
158
159

OPTIONS INHERITED FROM PARENT COMMANDS

161       --azure-container-registry-config=""      Path to the  file  containing
162       Azure container registry configuration information.
163
164
165       --log-flush-frequency=5s       Maximum  number  of  seconds between log
166       flushes
167
168
169       --rootfs=""      [EXPERIMENTAL]  The  path  to  the  'real'  host  root
170       filesystem.
171
172
173       --version=false      Print version information and quit
174
175
176

SEE ALSO

178       kubeadm(1), kubeadm-join-phase(1),
179
180
181

HISTORY

183       January  2015,  Originally compiled by Eric Paris (eparis at redhat dot
184       com) based on the kubernetes source material, but hopefully  they  have
185       been automatically generated since!
186
187
188
189Manuals                              User            KUBERNETES(1)(kubernetes)