• kubeadm join
    • Synopsis
    • Options
    • Options inherited from parent commands
    • The join workflow
    • Using join phases with kubeadm
    • Discovering what cluster CA to trust
      • Token-based discovery with CA pinning
      • Token-based discovery without CA pinning
      • File or HTTPS-based discovery
    • Securing your installation even more
      • Turning off auto-approval of node client certificates
      • Turning off public access to the cluster-info ConfigMap
    • Using kubeadm join with a configuration file
  • What's next
  • Feedback

    kubeadm join

    This command initializes a Kubernetes worker node and joins it to the cluster.

    Synopsis

    When joining a kubeadm initialized cluster, we need to establishbidirectional trust. This is split into discovery (having the Nodetrust the Kubernetes Control Plane) and TLS bootstrap (having theKubernetes Control Plane trust the Node).

    There are 2 main schemes for discovery. The first is to use a sharedtoken along with the IP address of the API server. The second is toprovide a file - a subset of the standard kubeconfig file. This filecan be a local file or downloaded via an HTTPS URL. The forms arekubeadm join –discovery-token abcdef.1234567890abcdef 1.2.3.4:6443,kubeadm join –discovery-file path/to/file.conf, or kubeadm join–discovery-file https://url/file.conf. Only one form can be used. Ifthe discovery information is loaded from a URL, HTTPS must be used.Also, in that case the host installed CA bundle is used to verifythe connection.

    If you use a shared token for discovery, you should also pass the–discovery-token-ca-cert-hash flag to validate the public key of theroot certificate authority (CA) presented by the Kubernetes Control Plane.The value of this flag is specified as “<hash-type>:<hex-encoded-value>”,where the supported hash type is “sha256”. The hash is calculated overthe bytes of the Subject Public Key Info (SPKI) object (as in RFC7469).This value is available in the output of “kubeadm init” or can becalculated using standard tools. The –discovery-token-ca-cert-hash flagmay be repeated multiple times to allow more than one public key.

    If you cannot know the CA public key hash ahead of time, you can passthe –discovery-token-unsafe-skip-ca-verification flag to disable thisverification. This weakens the kubeadm security model since other nodescan potentially impersonate the Kubernetes Control Plane.

    The TLS bootstrap mechanism is also driven via a shared token. This isused to temporarily authenticate with the Kubernetes Control Plane to submit acertificate signing request (CSR) for a locally created key pair. Bydefault, kubeadm will set up the Kubernetes Control Plane to automaticallyapprove these signing requests. This token is passed in with the–tls-bootstrap-token abcdef.1234567890abcdef flag.

    Often times the same token is used for both parts. In this case, the–token flag can be used instead of specifying each token individually.

    The “join [api-server-endpoint]” command executes the following phases:

    1. preflight Run join pre-flight checks
    2. control-plane-prepare Prepare the machine for serving a control plane
    3. /download-certs [EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret
    4. /certs Generate the certificates for the new control plane components
    5. /kubeconfig Generate the kubeconfig for the new control plane components
    6. /control-plane Generate the manifests for the new control plane components
    7. kubelet-start Write kubelet settings, certificates and (re)start the kubelet
    8. control-plane-join Join a machine as a control plane instance
    9. /etcd Add a new local etcd member
    10. /update-status Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap
    11. /mark-control-plane Mark a node as a control-plane
    1. kubeadm join [api-server-endpoint] [flags]

    Options

    —apiserver-advertise-address string
    If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
    —apiserver-bind-port int32 Default: 6443
    If the node should host a new control plane instance, the port for the API Server to bind to.
    —certificate-key string
    Use this key to decrypt the certificate secrets uploaded by init.
    —config string
    Path to kubeadm config file.
    —control-plane
    Create a new control plane instance on this node
    —cri-socket string
    Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket.
    —discovery-file string
    For file-based discovery, a file or URL from which to load cluster information.
    —discovery-token string
    For token-based discovery, the token used to validate cluster information fetched from the API server.
    —discovery-token-ca-cert-hash stringSlice
    For token-based discovery, validate that the root CA public key matches this hash (format: "<type>:<value>").
    —discovery-token-unsafe-skip-ca-verification
    For token-based discovery, allow joining without —discovery-token-ca-cert-hash pinning.
    -k, —experimental-kustomize string
    The path where kustomize patches for static pod manifests are stored.
    -h, —help
    help for join
    —ignore-preflight-errors stringSlice
    A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
    —node-name string
    Specify the node name.
    —skip-phases stringSlice
    List of phases to be skipped
    —tls-bootstrap-token string
    Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.
    —token string
    Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    The join workflow

    kubeadm join bootstraps a Kubernetes worker node or a control-plane node and adds it to the cluster.This action consists of the following steps for worker nodes:

    • kubeadm downloads necessary cluster information from the API server.By default, it uses the bootstrap token and the CA key hash to verify theauthenticity of that data. The root CA can also be discovered directly via afile or URL.

    • Once the cluster information is known, kubelet can start the TLS bootstrappingprocess.

    The TLS bootstrap uses the shared token to temporarily authenticatewith the Kubernetes API server to submit a certificate signing request (CSR); bydefault the control plane signs this CSR request automatically.

    • Finally, kubeadm configures the local kubelet to connect to the APIserver with the definitive identity assigned to the node.For control-plane nodes additional steps are performed:

    • Downloading certificates shared among control-plane nodes from the cluster(if explicitly requested by the user).

    • Generating control-plane component manifests, certificates and kubeconfig.

    • Adding new local etcd member.

    • Adding this node to the ClusterStatus of the kubeadm cluster.

    Using join phases with kubeadm

    Kubeadm allows you join a node to the cluster in phases using kubeadm join phase.

    To view the ordered list of phases and sub-phases you can call kubeadm join —help. The list will be locatedat the top of the help screen and each phase will have a description next to it.Note that by calling kubeadm join all of the phases and sub-phases will be executed in this exact order.

    Some phases have unique flags, so if you want to have a look at the list of available options add —help, for example:

    1. kubeadm join phase kubelet-start --help

    Similar to the kubeadm init phasecommand, kubadm join phase allows you to skip a list of phases using the —skip-phases flag.

    For example:

    1. sudo kubeadm join --skip-phases=preflight --config=config.yaml

    Discovering what cluster CA to trust

    The kubeadm discovery has several options, each with security tradeoffs.The right method for your environment depends on how you provision nodes and thesecurity expectations you have about your network and node lifecycles.

    Token-based discovery with CA pinning

    This is the default mode in kubeadm. In this mode, kubeadm downloadsthe cluster configuration (including root CA) and validates it using the tokenas well as validating that the root CA public key matches the provided hash andthat the API server certificate is valid under the root CA.

    The CA key hash has the format sha256:<hex_encoded_hash>. By default, the hash value is returned in the kubeadm join command printed at the end of kubeadm init or in the output of kubeadm token create —print-join-command. It is in a standard format (see RFC7469) and can also be calculated by 3rd party tools or provisioning systems. For example, using the OpenSSL CLI:

    1. openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'

    Example kubeadm join commands:

    For worker nodes:

    1. kubeadm join --discovery-token abcdef.1234567890abcdef --discovery-token-ca-cert-hash sha256:1234..cdef 1.2.3.4:6443

    For control-plane nodes:

    1. kubeadm join --discovery-token abcdef.1234567890abcdef --discovery-token-ca-cert-hash sha256:1234..cdef --control-plane 1.2.3.4:6443

    You can also call join for a control-plane node with —certificate-key to copy certificates to this node,if the kubeadm init command was called with —upload-certs.

    Advantages:

    • Allows bootstrapping nodes to securely discover a root of trust for thecontrol-plane node even if other worker nodes or the network are compromised.

    • Convenient to execute manually since all of the information required fitsinto a single kubeadm join command that is easy to copy and paste.

    Disadvantages:

    • The CA hash is not normally known until the control-plane node has been provisioned,which can make it more difficult to build automated provisioning tools thatuse kubeadm. By generating your CA in beforehand, you may workaround thislimitation.

    Token-based discovery without CA pinning

    This mode relies only on the symmetric token to sign(HMAC-SHA256) the discovery information that establishes the root of trust forthe control-plane. To use the mode the joining nodes must skip the hash validation of theCA public key, using —discovery-token-unsafe-skip-ca-verification. You should considerusing one of the other modes if possible.

    Example kubeadm join command:

    1. kubeadm join --token abcdef.1234567890abcdef --discovery-token-unsafe-skip-ca-verification 1.2.3.4:6443

    Advantages:

    • Still protects against many network-level attacks.

    • The token can be generated ahead of time and shared with the control-plane node andworker nodes, which can then bootstrap in parallel without coordination. Thisallows it to be used in many provisioning scenarios.

    Disadvantages:

    • If an attacker is able to steal a bootstrap token via some vulnerability,they can use that token (along with network-level access) to impersonate thecontrol-plane node to other bootstrapping nodes. This may or may not be an appropriatetradeoff in your environment.

    File or HTTPS-based discovery

    This provides an out-of-band way to establish a root of trust between the control-plane nodeand bootstrapping nodes. Consider using this mode if you are building automated provisioningusing kubeadm. The format of the discovery file is a regular Kuberneteskubeconfig file.

    In case the discovery file does not contain credentials, the TLS discovery token will be used.

    Example kubeadm join commands:

    • kubeadm join —discovery-file path/to/file.conf (local file)

    • kubeadm join —discovery-file https://url/file.conf (remote HTTPS URL)

    Advantages:

    • Allows bootstrapping nodes to securely discover a root of trust for thecontrol-plane node even if the network or other worker nodes are compromised.

    Disadvantages:

    • Requires that you have some way to carry the discovery information fromthe control-plane node to the bootstrapping nodes. If the discovery file contains credentialsyou must keep it secret and transfer it over a secure channel. This might be possible with yourcloud provider or provisioning tool.

    Securing your installation even more

    The defaults for kubeadm may not work for everyone. This section documents how to tighten up a kubeadm installationat the cost of some usability.

    Turning off auto-approval of node client certificates

    By default, there is a CSR auto-approver enabled that basically approves any client certificate requestfor a kubelet when a Bootstrap Token was used when authenticating. If you don’t want the cluster toautomatically approve kubelet client certs, you can turn it off by executing this command:

    1. kubectl delete clusterrolebinding kubeadm:node-autoapprove-bootstrap

    After that, kubeadm join will block until the admin has manually approved the CSR in flight:

    1. kubectl get csr

    The output is similar to this:

    1. NAME AGE REQUESTOR CONDITION
    2. node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ 18s system:bootstrap:878f07 Pending
    1. kubectl certificate approve node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ

    The output is similar to this:

    1. certificatesigningrequest "node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ" approved
    1. kubectl get csr

    The output is similar to this:

    1. NAME AGE REQUESTOR CONDITION
    2. node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ 1m system:bootstrap:878f07 Approved,Issued

    This forces the workflow that kubeadm join will only succeed if kubectl certificate approve has been run.

    Turning off public access to the cluster-info ConfigMap

    In order to achieve the joining flow using the token as the only piece of validation information, aConfigMap with some data needed for validation of the control-plane node’s identity is exposed publicly bydefault. While there is no private data in this ConfigMap, some users might wish to turnit off regardless. Doing so will disable the ability to use the —discovery-token flag of thekubeadm join flow. Here are the steps to do so:

    • Fetch the cluster-info file from the API Server:
    1. kubectl -n kube-public get cm cluster-info -o yaml | grep "kubeconfig:" -A11 | grep "apiVersion" -A10 | sed "s/ //" | tee cluster-info.yaml

    The output is similar to this:

    1. apiVersion: v1
    2. kind: Config
    3. clusters:
    4. - cluster:
    5. certificate-authority-data: <ca-cert>
    6. server: https://<ip>:<port>
    7. name: ""
    8. contexts: []
    9. current-context: ""
    10. preferences: {}
    11. users: []
    • Use the cluster-info.yaml file as an argument to kubeadm join —discovery-file.

    • Turn off public access to the cluster-info ConfigMap:

    1. kubectl -n kube-public delete rolebinding kubeadm:bootstrap-signer-clusterinfo

    These commands should be run after kubeadm init but before kubeadm join.

    Using kubeadm join with a configuration file

    Caution: The config file is still considered alpha and may change in future versions.

    It’s possible to configure kubeadm join with a configuration file instead of commandline flags, and some more advanced features may only be available asconfiguration file options. This file is passed using the —config flag and it mustcontain a JoinConfiguration structure.

    To print the default values of JoinConfiguration run the following command:

    1. kubeadm config print join-defaults

    For details on individual fields in JoinConfiguration see the godoc.

    What's next

    • kubeadm init to bootstrap a Kubernetes control-plane node
    • kubeadm token to manage tokens for kubeadm join
    • kubeadm reset to revert any changes made to this host by kubeadm init or kubeadm join

    Feedback

    Was this page helpful?

    Thanks for the feedback. If you have a specific, answerable question about how to use Kubernetes, ask it onStack Overflow.Open an issue in the GitHub repo if you want toreport a problemorsuggest an improvement.