1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7
9 kubeadm join - Run this on any machine you wish to join an existing
10 cluster
11
12
13
15 kubeadm join [OPTIONS]
16
17
18
20 When joining a kubeadm initialized cluster, we need to establish bidi‐
21 rectional trust. This is split into discovery (having the Node trust
22 the Kubernetes Control Plane) and TLS bootstrap (having the Kubernetes
23 Control Plane trust the Node).
24
25
26 There are 2 main schemes for discovery. The first is to use a shared
27 token along with the IP address of the API server. The second is to
28 provide a file - a subset of the standard kubeconfig file. This file
29 can be a local file or downloaded via an HTTPS URL. The forms are
30 kubeadm join --discovery-token abcdef.1234567890abcdef 1.2.3.4:6443,
31 kubeadm join --discovery-file path/to/file.conf, or kubeadm join --dis‐
32 covery-file https://url/file.conf. Only one form can be used. If the
33 discovery information is loaded from a URL, HTTPS must be used. Also,
34 in that case the host installed CA bundle is used to verify the connec‐
35 tion.
36
37
38 If you use a shared token for discovery, you should also pass the
39 --discovery-token-ca-cert-hash flag to validate the public key of the
40 root certificate authority (CA) presented by the Kubernetes Control
41 Plane. The value of this flag is specified as ":", where the supported
42 hash type is "sha256". The hash is calculated over the bytes of the
43 Subject Public Key Info (SPKI) object (as in RFC7469). This value is
44 available in the output of "kubeadm init" or can be calculated using
45 standard tools. The --discovery-token-ca-cert-hash flag may be repeated
46 multiple times to allow more than one public key.
47
48
49 If you cannot know the CA public key hash ahead of time, you can pass
50 the --discovery-token-unsafe-skip-ca-verification flag to disable this
51 verification. This weakens the kubeadm security model since other nodes
52 can potentially impersonate the Kubernetes Control Plane.
53
54
55 The TLS bootstrap mechanism is also driven via a shared token. This is
56 used to temporarily authenticate with the Kubernetes Control Plane to
57 submit a certificate signing request (CSR) for a locally created key
58 pair. By default, kubeadm will set up the Kubernetes Control Plane to
59 automatically approve these signing requests. This token is passed in
60 with the --tls-bootstrap-token abcdef.1234567890abcdef flag.
61
62
63 Often times the same token is used for both parts. In this case, the
64 --token flag can be used instead of specifying each token individually.
65
66
67 The "join [api-server-endpoint]" command executes the following phases:
68
69
70 preflight Run join pre-flight checks
71 control-plane-prepare Prepare the machine for serving a control plane
72 /download-certs [EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret
73 /certs Generate the certificates for the new control plane components
74 /kubeconfig Generate the kubeconfig for the new control plane components
75 /control-plane Generate the manifests for the new control plane components
76 kubelet-start Write kubelet settings, certificates and (re)start the kubelet
77 control-plane-join Join a machine as a control plane instance
78 /etcd Add a new local etcd member
79 /update-status Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap (DEPRECATED)
80 /mark-control-plane Mark a node as a control-plane
81
82
83
84
86 --apiserver-advertise-address="" If the node should host a new
87 control plane instance, the IP address the API Server will advertise
88 it's listening on. If not set the default network interface will be
89 used.
90
91
92 --apiserver-bind-port=6443 If the node should host a new control
93 plane instance, the port for the API Server to bind to.
94
95
96 --certificate-key="" Use this key to decrypt the certificate se‐
97 crets uploaded by init.
98
99
100 --config="" Path to kubeadm config file.
101
102
103 --control-plane=false Create a new control plane instance on this
104 node
105
106
107 --cri-socket="" Path to the CRI socket to connect. If empty
108 kubeadm will try to auto-detect this value; use this option only if you
109 have more than one CRI installed or if you have non-standard CRI
110 socket.
111
112
113 --discovery-file="" For file-based discovery, a file or URL from
114 which to load cluster information.
115
116
117 --discovery-token="" For token-based discovery, the token used to
118 validate cluster information fetched from the API server.
119
120
121 --discovery-token-ca-cert-hash=[] For token-based discovery, vali‐
122 date that the root CA public key matches this hash (format: ":").
123
124
125 --discovery-token-unsafe-skip-ca-verification=false For token-
126 based discovery, allow joining without --discovery-token-ca-cert-hash
127 pinning.
128
129
130 --dry-run=false Don't apply any changes; just output what would be
131 done.
132
133
134 --ignore-preflight-errors=[] A list of checks whose errors will be
135 shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ig‐
136 nores errors from all checks.
137
138
139 --node-name="" Specify the node name.
140
141
142 --patches="" Path to a directory that contains files named "tar‐
143 get[suffix][+patchtype].extension". For example, "kube-apis‐
144 erver0+merge.yaml" or just "etcd.json". "target" can be one of "kube-
145 apiserver", "kube-controller-manager", "kube-scheduler", "etcd".
146 "patchtype" can be one of "strategic", "merge" or "json" and they match
147 the patch formats supported by kubectl. The default "patchtype" is
148 "strategic". "extension" must be either "json" or "yaml". "suffix" is
149 an optional string that can be used to determine which patches are ap‐
150 plied first alpha-numerically.
151
152
153 --skip-phases=[] List of phases to be skipped
154
155
156 --tls-bootstrap-token="" Specify the token used to temporarily au‐
157 thenticate with the Kubernetes Control Plane while joining the node.
158
159
160 --token="" Use this token for both discovery-token and tls-boot‐
161 strap-token when those values are not provided.
162
163
164
166 --azure-container-registry-config="" Path to the file containing
167 Azure container registry configuration information.
168
169
170 --rootfs="" [EXPERIMENTAL] The path to the 'real' host root
171 filesystem.
172
173
174 --version=false Print version information and quit
175
176
177
179 kubeadm(1), kubeadm-join-phase(1),
180
181
182
184 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
185 com) based on the kubernetes source material, but hopefully they have
186 been automatically generated since!
187
188
189
190Manuals User KUBERNETES(1)(kubernetes)