1KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7

NAME

9       kubeadm  join  -  Run  this on any machine you wish to join an existing
10       cluster
11
12
13

SYNOPSIS

15       kubeadm join [OPTIONS]
16
17
18

DESCRIPTION

20       When joining a kubeadm initialized cluster, we need to establish  bidi‐
21       rectional  trust.  This  is split into discovery (having the Node trust
22       the Kubernetes Control Plane) and TLS bootstrap (having the  Kubernetes
23       Control Plane trust the Node).
24
25
26       There  are  2  main schemes for discovery. The first is to use a shared
27       token along with the IP address of the API server.  The  second  is  to
28       provide  a file - a subset of the standard kubeconfig file. The discov‐
29       ery/kubeconfig file supports token,  client-go  authentication  plugins
30       ("exec"),  "tokenFile",  and  "authProvider".  This file can be a local
31       file or downloaded via an HTTPS URL. The forms are kubeadm join  --dis‐
32       covery-token  abcdef.1234567890abcdef 1.2.3.4:6443, kubeadm join --dis‐
33       covery-file  path/to/file.conf,  or   kubeadm   join   --discovery-file
34       https://url/file.conf.  Only one form can be used. If the discovery in‐
35       formation is loaded from a URL, HTTPS must be used.  Also, in that case
36       the host installed CA bundle is used to verify the connection.
37
38
39       If  you  use  a  shared  token  for discovery, you should also pass the
40       --discovery-token-ca-cert-hash flag to validate the public key  of  the
41       root  certificate  authority  (CA)  presented by the Kubernetes Control
42       Plane.  The value of this flag is specified as ":", where the supported
43       hash  type  is  "sha256".  The hash is calculated over the bytes of the
44       Subject Public Key Info (SPKI) object (as in RFC7469).  This  value  is
45       available  in  the  output of "kubeadm init" or can be calculated using
46       standard tools. The --discovery-token-ca-cert-hash flag may be repeated
47       multiple times to allow more than one public key.
48
49
50       If  you  cannot know the CA public key hash ahead of time, you can pass
51       the --discovery-token-unsafe-skip-ca-verification flag to disable  this
52       verification. This weakens the kubeadm security model since other nodes
53       can potentially impersonate the Kubernetes Control Plane.
54
55
56       The TLS bootstrap mechanism is also driven via a shared token. This  is
57       used  to  temporarily authenticate with the Kubernetes Control Plane to
58       submit a certificate signing request (CSR) for a  locally  created  key
59       pair.  By  default, kubeadm will set up the Kubernetes Control Plane to
60       automatically approve these signing requests. This token is  passed  in
61       with the --tls-bootstrap-token abcdef.1234567890abcdef flag.
62
63
64       Often  times  the  same token is used for both parts. In this case, the
65       --token flag can be used instead of specifying each token individually.
66
67
68       The "join [api-server-endpoint]" command executes the following phases:
69
70
71              preflight              Run join pre-flight checks
72              control-plane-prepare  Prepare the machine for serving a control plane
73                /download-certs        [EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret
74                /certs                 Generate the certificates for the new control plane components
75                /kubeconfig            Generate the kubeconfig for the new control plane components
76                /control-plane         Generate the manifests for the new control plane components
77              kubelet-start          Write kubelet settings, certificates and (re)start the kubelet
78              control-plane-join     Join a machine as a control plane instance
79                /etcd                  Add a new local etcd member
80                /update-status         Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap (DEPRECATED)
81                /mark-control-plane    Mark a node as a control-plane
82
83
84
85

OPTIONS

87       --apiserver-advertise-address=""      If the node  should  host  a  new
88       control  plane  instance,  the IP address the API Server will advertise
89       it's listening on. If not set the default  network  interface  will  be
90       used.
91
92
93       --apiserver-bind-port=6443       If  the node should host a new control
94       plane instance, the port for the API Server to bind to.
95
96
97       --certificate-key=""      Use this key to decrypt the  certificate  se‐
98       crets uploaded by init.
99
100
101       --config=""      Path to kubeadm config file.
102
103
104       --control-plane=false       Create a new control plane instance on this
105       node
106
107
108       --cri-socket=""      Path to  the  CRI  socket  to  connect.  If  empty
109       kubeadm will try to auto-detect this value; use this option only if you
110       have more than one CRI  installed  or  if  you  have  non-standard  CRI
111       socket.
112
113
114       --discovery-file=""       For  file-based discovery, a file or URL from
115       which to load cluster information.
116
117
118       --discovery-token=""      For token-based discovery, the token used  to
119       validate cluster information fetched from the API server.
120
121
122       --discovery-token-ca-cert-hash=[]      For token-based discovery, vali‐
123       date that the root CA public key matches this hash (format: ":").
124
125
126       --discovery-token-unsafe-skip-ca-verification=false        For   token-
127       based  discovery,  allow joining without --discovery-token-ca-cert-hash
128       pinning.
129
130
131       --dry-run=false      Don't apply any changes; just output what would be
132       done.
133
134
135       --ignore-preflight-errors=[]      A list of checks whose errors will be
136       shown as warnings. Example: 'IsPrivilegedUser,Swap'.  Value  'all'  ig‐
137       nores errors from all checks.
138
139
140       --node-name=""      Specify the node name.
141
142
143       --patches=""       Path  to a directory that contains files named "tar‐
144       get[suffix][+patchtype].extension".    For     example,     "kube-apis‐
145       erver0+merge.yaml"  or  just "etcd.json". "target" can be one of "kube-
146       apiserver",   "kube-controller-manager",   "kube-scheduler",    "etcd",
147       "kubeletconfiguration".  "patchtype" can be one of "strategic", "merge"
148       or "json" and they match the patch formats supported  by  kubectl.  The
149       default  "patchtype"  is "strategic". "extension" must be either "json"
150       or "yaml". "suffix" is an optional string that can be used to determine
151       which patches are applied first alpha-numerically.
152
153
154       --skip-phases=[]      List of phases to be skipped
155
156
157       --tls-bootstrap-token=""      Specify the token used to temporarily au‐
158       thenticate with the Kubernetes Control Plane while joining the node.
159
160
161       --token=""      Use this token for both discovery-token  and  tls-boot‐
162       strap-token when those values are not provided.
163
164
165

OPTIONS INHERITED FROM PARENT COMMANDS

167       --azure-container-registry-config=""       Path  to the file containing
168       Azure container registry configuration information.
169
170
171       --rootfs=""      [EXPERIMENTAL]  The  path  to  the  'real'  host  root
172       filesystem.
173
174
175       --version=false      Print version information and quit
176
177
178

SEE ALSO

180       kubeadm(1), kubeadm-join-phase(1),
181
182
183

HISTORY

185       January  2015,  Originally compiled by Eric Paris (eparis at redhat dot
186       com) based on the kubernetes source material, but hopefully  they  have
187       been automatically generated since!
188
189
190
191Manuals                              User            KUBERNETES(1)(kubernetes)
Impressum