1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7
9 kubeadm join - Run this on any machine you wish to join an existing
10 cluster
11
12
13
15 kubeadm join [OPTIONS]
16
17
18
20 When joining a kubeadm initialized cluster, we need to establish bidi‐
21 rectional trust. This is split into discovery (having the Node trust
22 the Kubernetes Control Plane) and TLS bootstrap (having the Kubernetes
23 Control Plane trust the Node).
24
25
26 There are 2 main schemes for discovery. The first is to use a shared
27 token along with the IP address of the API server. The second is to
28 provide a file - a subset of the standard kubeconfig file. The discov‐
29 ery/kubeconfig file supports token, client-go authentication plugins
30 ("exec"), "tokenFile", and "authProvider". This file can be a local
31 file or downloaded via an HTTPS URL. The forms are kubeadm join --dis‐
32 covery-token abcdef.1234567890abcdef 1.2.3.4:6443, kubeadm join --dis‐
33 covery-file path/to/file.conf, or kubeadm join --discovery-file
34 https://url/file.conf. Only one form can be used. If the discovery in‐
35 formation is loaded from a URL, HTTPS must be used. Also, in that case
36 the host installed CA bundle is used to verify the connection.
37
38
39 If you use a shared token for discovery, you should also pass the
40 --discovery-token-ca-cert-hash flag to validate the public key of the
41 root certificate authority (CA) presented by the Kubernetes Control
42 Plane. The value of this flag is specified as ":", where the supported
43 hash type is "sha256". The hash is calculated over the bytes of the
44 Subject Public Key Info (SPKI) object (as in RFC7469). This value is
45 available in the output of "kubeadm init" or can be calculated using
46 standard tools. The --discovery-token-ca-cert-hash flag may be repeated
47 multiple times to allow more than one public key.
48
49
50 If you cannot know the CA public key hash ahead of time, you can pass
51 the --discovery-token-unsafe-skip-ca-verification flag to disable this
52 verification. This weakens the kubeadm security model since other nodes
53 can potentially impersonate the Kubernetes Control Plane.
54
55
56 The TLS bootstrap mechanism is also driven via a shared token. This is
57 used to temporarily authenticate with the Kubernetes Control Plane to
58 submit a certificate signing request (CSR) for a locally created key
59 pair. By default, kubeadm will set up the Kubernetes Control Plane to
60 automatically approve these signing requests. This token is passed in
61 with the --tls-bootstrap-token abcdef.1234567890abcdef flag.
62
63
64 Often times the same token is used for both parts. In this case, the
65 --token flag can be used instead of specifying each token individually.
66
67
68 The "join [api-server-endpoint]" command executes the following phases:
69
70
71 preflight Run join pre-flight checks
72 control-plane-prepare Prepare the machine for serving a control plane
73 /download-certs [EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret
74 /certs Generate the certificates for the new control plane components
75 /kubeconfig Generate the kubeconfig for the new control plane components
76 /control-plane Generate the manifests for the new control plane components
77 kubelet-start Write kubelet settings, certificates and (re)start the kubelet
78 control-plane-join Join a machine as a control plane instance
79 /etcd Add a new local etcd member
80 /update-status Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap (DEPRECATED)
81 /mark-control-plane Mark a node as a control-plane
82
83
84
85
87 --apiserver-advertise-address="" If the node should host a new
88 control plane instance, the IP address the API Server will advertise
89 it's listening on. If not set the default network interface will be
90 used.
91
92
93 --apiserver-bind-port=6443 If the node should host a new control
94 plane instance, the port for the API Server to bind to.
95
96
97 --certificate-key="" Use this key to decrypt the certificate se‐
98 crets uploaded by init.
99
100
101 --config="" Path to kubeadm config file.
102
103
104 --control-plane=false Create a new control plane instance on this
105 node
106
107
108 --cri-socket="" Path to the CRI socket to connect. If empty
109 kubeadm will try to auto-detect this value; use this option only if you
110 have more than one CRI installed or if you have non-standard CRI
111 socket.
112
113
114 --discovery-file="" For file-based discovery, a file or URL from
115 which to load cluster information.
116
117
118 --discovery-token="" For token-based discovery, the token used to
119 validate cluster information fetched from the API server.
120
121
122 --discovery-token-ca-cert-hash=[] For token-based discovery, vali‐
123 date that the root CA public key matches this hash (format: ":").
124
125
126 --discovery-token-unsafe-skip-ca-verification=false For token-
127 based discovery, allow joining without --discovery-token-ca-cert-hash
128 pinning.
129
130
131 --dry-run=false Don't apply any changes; just output what would be
132 done.
133
134
135 --ignore-preflight-errors=[] A list of checks whose errors will be
136 shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ig‐
137 nores errors from all checks.
138
139
140 --node-name="" Specify the node name.
141
142
143 --patches="" Path to a directory that contains files named "tar‐
144 get[suffix][+patchtype].extension". For example, "kube-apis‐
145 erver0+merge.yaml" or just "etcd.json". "target" can be one of "kube-
146 apiserver", "kube-controller-manager", "kube-scheduler", "etcd",
147 "kubeletconfiguration". "patchtype" can be one of "strategic", "merge"
148 or "json" and they match the patch formats supported by kubectl. The
149 default "patchtype" is "strategic". "extension" must be either "json"
150 or "yaml". "suffix" is an optional string that can be used to determine
151 which patches are applied first alpha-numerically.
152
153
154 --skip-phases=[] List of phases to be skipped
155
156
157 --tls-bootstrap-token="" Specify the token used to temporarily au‐
158 thenticate with the Kubernetes Control Plane while joining the node.
159
160
161 --token="" Use this token for both discovery-token and tls-boot‐
162 strap-token when those values are not provided.
163
164
165
167 --azure-container-registry-config="" Path to the file containing
168 Azure container registry configuration information.
169
170
171 --rootfs="" [EXPERIMENTAL] The path to the 'real' host root
172 filesystem.
173
174
175 --version=false Print version information and quit
176
177
178
180 kubeadm(1), kubeadm-join-phase(1),
181
182
183
185 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
186 com) based on the kubernetes source material, but hopefully they have
187 been automatically generated since!
188
189
190
191Manuals User KUBERNETES(1)(kubernetes)