1KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7

NAME

9       kubeadm  join  -  Run  this on any machine you wish to join an existing
10       cluster
11
12
13

SYNOPSIS

15       kubeadm join [OPTIONS]
16
17
18

DESCRIPTION

20       When joining a kubeadm initialized cluster, we need to establish  bidi‐
21       rectional  trust.  This  is split into discovery (having the Node trust
22       the Kubernetes Control Plane) and TLS bootstrap (having the  Kubernetes
23       Control Plane trust the Node).
24
25
26       There  are  2  main schemes for discovery. The first is to use a shared
27       token along with the IP address of the API server.  The  second  is  to
28       provide  a  file  - a subset of the standard kubeconfig file. This file
29       can be a local file or downloaded via  an  HTTPS  URL.  The  forms  are
30       kubeadm  join  --discovery-token  abcdef.1234567890abcdef 1.2.3.4:6443,
31       kubeadm join --discovery-file path/to/file.conf, or kubeadm join --dis‐
32       covery-file  https://url/file.conf.  Only  one form can be used. If the
33       discovery information is loaded from a URL, HTTPS must be used.   Also,
34       in that case the host installed CA bundle is used to verify the connec‐
35       tion.
36
37
38       If you use a shared token for  discovery,  you  should  also  pass  the
39       --discovery-token-ca-cert-hash  flag  to validate the public key of the
40       root certificate authority (CA) presented  by  the  Kubernetes  Control
41       Plane.  The value of this flag is specified as ":", where the supported
42       hash type is "sha256". The hash is calculated over  the  bytes  of  the
43       Subject  Public  Key Info (SPKI) object (as in RFC7469).  This value is
44       available in the output of "kubeadm init" or can  be  calculated  using
45       standard tools. The --discovery-token-ca-cert-hash flag may be repeated
46       multiple times to allow more than one public key.
47
48
49       If you cannot know the CA public key hash ahead of time, you  can  pass
50       the  --discovery-token-unsafe-skip-ca-verification flag to disable this
51       verification. This weakens the kubeadm security model since other nodes
52       can potentially impersonate the Kubernetes Control Plane.
53
54
55       The  TLS bootstrap mechanism is also driven via a shared token. This is
56       used to temporarily authenticate with the Kubernetes Control  Plane  to
57       submit  a  certificate  signing request (CSR) for a locally created key
58       pair. By default, kubeadm will set up the Kubernetes Control  Plane  to
59       automatically  approve  these signing requests. This token is passed in
60       with the --tls-bootstrap-token abcdef.1234567890abcdef flag.
61
62
63       Often times the same token is used for both parts. In  this  case,  the
64       --token flag can be used instead of specifying each token individually.
65
66
67       The "join [api-server-endpoint]" command executes the following phases:
68
69
70              preflight              Run join pre-flight checks
71              control-plane-prepare  Prepare the machine for serving a control plane
72                /download-certs        [EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret
73                /certs                 Generate the certificates for the new control plane components
74                /kubeconfig            Generate the kubeconfig for the new control plane components
75                /control-plane         Generate the manifests for the new control plane components
76              kubelet-start          Write kubelet settings, certificates and (re)start the kubelet
77              control-plane-join     Join a machine as a control plane instance
78                /etcd                  Add a new local etcd member
79                /update-status         Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap (DEPRECATED)
80                /mark-control-plane    Mark a node as a control-plane
81
82
83
84

OPTIONS

86       --apiserver-advertise-address=""       If  the  node  should host a new
87       control plane instance, the IP address the API  Server  will  advertise
88       it's  listening  on.  If  not set the default network interface will be
89       used.
90
91
92       --apiserver-bind-port=6443      If the node should host a  new  control
93       plane instance, the port for the API Server to bind to.
94
95
96       --certificate-key=""       Use  this key to decrypt the certificate se‐
97       crets uploaded by init.
98
99
100       --config=""      Path to kubeadm config file.
101
102
103       --control-plane=false      Create a new control plane instance on  this
104       node
105
106
107       --cri-socket=""       Path  to  the  CRI  socket  to  connect. If empty
108       kubeadm will try to auto-detect this value; use this option only if you
109       have  more  than  one  CRI  installed  or  if you have non-standard CRI
110       socket.
111
112
113       --discovery-file=""      For file-based discovery, a file or  URL  from
114       which to load cluster information.
115
116
117       --discovery-token=""       For token-based discovery, the token used to
118       validate cluster information fetched from the API server.
119
120
121       --discovery-token-ca-cert-hash=[]      For token-based discovery, vali‐
122       date that the root CA public key matches this hash (format: ":").
123
124
125       --discovery-token-unsafe-skip-ca-verification=false        For   token-
126       based discovery, allow joining  without  --discovery-token-ca-cert-hash
127       pinning.
128
129
130       --dry-run=false      Don't apply any changes; just output what would be
131       done.
132
133
134       --ignore-preflight-errors=[]      A list of checks whose errors will be
135       shown  as  warnings.  Example: 'IsPrivilegedUser,Swap'. Value 'all' ig‐
136       nores errors from all checks.
137
138
139       --node-name=""      Specify the node name.
140
141
142       --patches=""      Path to a directory that contains files  named  "tar‐
143       get[suffix][+patchtype].extension".     For     example,    "kube-apis‐
144       erver0+merge.yaml" or just "etcd.json". "target" can be one  of  "kube-
145       apiserver",    "kube-controller-manager",   "kube-scheduler",   "etcd".
146       "patchtype" can be one of "strategic", "merge" or "json" and they match
147       the  patch  formats  supported  by  kubectl. The default "patchtype" is
148       "strategic". "extension" must be either "json" or "yaml".  "suffix"  is
149       an  optional string that can be used to determine which patches are ap‐
150       plied first alpha-numerically.
151
152
153       --skip-phases=[]      List of phases to be skipped
154
155
156       --tls-bootstrap-token=""      Specify the token used to temporarily au‐
157       thenticate with the Kubernetes Control Plane while joining the node.
158
159
160       --token=""       Use  this token for both discovery-token and tls-boot‐
161       strap-token when those values are not provided.
162
163
164

OPTIONS INHERITED FROM PARENT COMMANDS

166       --azure-container-registry-config=""      Path to the  file  containing
167       Azure container registry configuration information.
168
169
170       --rootfs=""       [EXPERIMENTAL]  The  path  to  the  'real'  host root
171       filesystem.
172
173
174       --version=false      Print version information and quit
175
176
177

SEE ALSO

179       kubeadm(1), kubeadm-join-phase(1),
180
181
182

HISTORY

184       January 2015, Originally compiled by Eric Paris (eparis at  redhat  dot
185       com)  based  on the kubernetes source material, but hopefully they have
186       been automatically generated since!
187
188
189
190Manuals                              User            KUBERNETES(1)(kubernetes)