When joining a kubeadm initialized cluster, we need to establish bidirectional trust. This is split into discovery (having the Node trust the Kubernetes Control Plane) and TLS bootstrap (having the Kubernetes Control Plane trust the Node).
There are 2 main schemes for discovery. The first is to use a shared token along with the IP address of the API server. The second is to provide a file - a subset of the standard kubeconfig file. This file can be a local file or downloaded via an HTTPS URL. The forms are kubeadm join --discovery-token abcdef.1234567890abcdef 220.127.116.11:6443, kubeadm join --discovery-file path/to/file.conf, or kubeadm join --discovery-file https://url/file.conf. Only one form can be used. If the discovery information is loaded from a URL, HTTPS must be used. Also, in that case the host installed CA bundle is used to verify the connection.
If you use a shared token for discovery, you should also pass the --discovery-token-ca-cert-hash flag to validate the public key of the root certificate authority (CA) presented by the Kubernetes Control Plane. The value of this flag is specified as "<hash-type>:<hex-encoded-value>", where the supported hash type is "sha256". The hash is calculated over the bytes of the Subject Public Key Info (SPKI) object (as in RFC7469). This value is available in the output of "kubeadm init" or can be calculated using standard tools. The --discovery-token-ca-cert-hash flag may be repeated multiple times to allow more than one public key.
If you cannot know the CA public key hash ahead of time, you can pass the --discovery-token-unsafe-skip-ca-verification flag to disable this verification. This weakens the kubeadm security model since other nodes can potentially impersonate the Kubernetes Control Plane.
The TLS bootstrap mechanism is also driven via a shared token. This is used to temporarily authenticate with the Kubernetes Control Plane to submit a certificate signing request (CSR) for a locally created key pair. By default, kubeadm will set up the Kubernetes Control Plane to automatically approve these signing requests. This token is passed in with the --tls-bootstrap-token abcdef.1234567890abcdef flag.
Often times the same token is used for both parts. In this case, the --token flag can be used instead of specifying each token individually.
The "join [api-server-endpoint]" command executes the following phases:
preflight Run join pre-flight checks control-plane-prepare Prepare the machine for serving a control plane /download-certs [EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret /certs Generate the certificates for the new control plane components /kubeconfig Generate the kubeconfig for the new control plane components /control-plane Generate the manifests for the new control plane components kubelet-start Write kubelet settings, certificates and (re)start the kubelet control-plane-join Join a machine as a control plane instance /etcd Add a new local etcd member /update-status Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap /mark-control-plane Mark a node as a control-plane
kubeadm join [api-server-endpoint] [flags]
|If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.|
|--apiserver-bind-port int32 Default: 6443|
|If the node should host a new control plane instance, the port for the API Server to bind to.|
|Use this key to decrypt the certificate secrets uploaded by init.|
|Path to kubeadm config file.|
|Create a new control plane instance on this node|
|Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket.|
|For file-based discovery, a file or URL from which to load cluster information.|
|For token-based discovery, the token used to validate cluster information fetched from the API server.|
|For token-based discovery, validate that the root CA public key matches this hash (format: "<type>:<value>").|
|For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.|
|Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically.|
|help for join|
|A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.|
|Specify the node name.|
|List of phases to be skipped|
|Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.|
|Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.|
Options inherited from parent commands
|[EXPERIMENTAL] The path to the 'real' host root filesystem.|