How to get started, and achieve tasks, using Kubernetes

Edit This Page

kubeadm reference

This document provides information on how to use kubeadm’s advanced options.

Running kubeadm init bootstraps a Kubernetes cluster. This consists of the following steps:

  1. kubeadm generates a token that additional nodes can use to register themselves with the master in future.

  2. kubeadm generates a self-signed CA using openssl to provision identities for each node in the cluster, and for the API server to secure communication with clients.

  3. Outputting a kubeconfig file for the kubelet to use to connect to the API server, as well as an additional kubeconfig file for administration.

  4. kubeadm generates Kubernetes resource manifests for the API server, controller manager and scheduler, and placing them in /etc/kubernetes/manifests. The kubelet watches this directory for static resources to create on startup. These are the core components of Kubernetes, and once they are up and running we can use kubectl to set up/manage any additional components.

  5. kubeadm installs any add-on components, such as DNS or discovery, via the API server.


Fields that support multiple values do so either with comma separation, or by specifying the flag multiple times.

kubeadm init

It is usually sufficient to run kubeadm init without any flags, but in some cases you might like to override the default behaviour. Here we specify all the flags that can be used to customise the Kubernetes installation.

By default, kubeadm init automatically detects IP addresses and uses these to generate certificates for the API server. This uses the IP address of the default network interface. If you would like to access the API server through a different IP address, or through a hostname, you can override these defaults with --api-advertise-addresses and --api-external-dns-names. For example, to generate certificates that verify the API server at addresses and, you could use --api-advertise-addresses=, To allow it to be accessed with a hostname,, Specifying --api-advertise-addresses disables auto detection of IP addresses.

Currently, kubeadm init does not provide autodetection of cloud provider. This means that load balancing and persistent volumes are not supported out of the box. You can specify a cloud provider using --cloud-provider. Valid values are the ones supported by controller-manager, namely "aws", "azure", "cloudstack", "gce", "mesos", "openstack", "ovirt", "rackspace", "vsphere". In order to provide additional configuration for the cloud provider, you should create a /etc/kubernetes/cloud-config.json file manually, before running kubeadm init. kubeadm automatically picks those settings up and ensures other nodes are configured correctly. You must also set the --cloud-provider and --cloud-config parameters yourself by editing the /etc/systemd/system/kubelet.service.d/10-kubeadm.conf file appropriately.

By default, kubeadm deploys a single node etcd cluster on the master to store Kubernetes state. This means that any failure on the master node requires you to rebuild your cluster from scratch. Currently kubeadm init does not support automatic deployment of a highly available etcd cluster. If you would like to use your own etcd cluster, you can override this behaviour with --external-etcd-endpoints. kubeadm supports etcd client authentication using the --external-etcd-cafile, --external-etcd-certfile and --external-etcd-keyfile flags.

By default, kubeadm init does not set node CIDR’s for pods and allows you to bring your own networking configuration through a CNI compatible network controller addon such as Weave Net, Calico or Canal. If you are using a compatible cloud provider or flannel, you can specify a subnet to use for each pod on the cluster with the --pod-network-cidr flag. This should be a minimum of a /16 so that kubeadm is able to assign /24 subnets to each node in the cluster.

You can use the --service-cidr flag to override the subnet Kubernetes uses to assign pods IP addresses. If you do, you will also need to update the /etc/systemd/system/kubelet.service.d/10-kubeadm.conf file to reflect this change else DNS will not function correctly.

By default, kubeadm init deploys a cluster that assigns services with DNS names <service_name>.<namespace>.svc.cluster.local. You can use the --service-dns-domain to change the DNS name suffix. Again, you will need to update the /etc/systemd/system/kubelet.service.d/10-kubeadm.conf file accordingly else DNS will not function correctly.

By default, kubeadm init automatically generates the token used to initialise each new node. If you would like to manually specify this token, you can use the --token flag. The token must be of the format ‘<6 character string>.<16 character string>’.

kubeadm was originally built for Kubernetes version v1.4.0, older versions are not supported. With this flag you can try any future version, e.g. v1.5.0-beta.1 whenever it comes out (check releases page for a full list of available versions).

kubeadm join

kubeadm join has one mandatory flag, the token used to secure cluster bootstrap, and one mandatory argument, the master IP address.

Here’s an example on how to use it:

kubeadm join --token=the_secret_token

By default, when kubeadm init runs, a token is generated and revealed in the output. That’s the token you should use here.


# cat /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1


Create Issue Edit This Page