kubeadm alpha
Caution:kubeadm alphaprovides a preview of a set of features made available for gathering feedback from the community. Please try it out and give us feedback!
kubeadm alpha certs renew
You can renew all Kubernetes certificates using the all subcommand or renew them selectively.
- renew
- all
- apiserver-etcd-client
- apiserver-kubelet-client
- apiserver
- etcd-healthcheck-client
- etcd-peer
- etcd-server
- front-proxy-client
Renews certificates for a Kubernetes cluster
Synopsis
This command is not meant to be run on its own. See list of available subcommands.
kubeadm alpha certs renew [flags]
Options
| -h, --help | |
| help for renew | |
Options inherited from parent commands
| --rootfs string | |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. | |
renew all available certificates
Synopsis
Renews all known certificates necessary to run the control plan. Renewals are run unconditionally, regardless of expiration date. Renewals can also be run individually for more control.
kubeadm alpha certs renew all [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" | |
| The path where to save the certificates | |
| --config string | |
| Path to a kubeadm configuration file. | |
| --csr-dir string | |
| The path to output the CSRs and private keys to | |
| --csr-only | |
| Create CSRs instead of generating certificates | |
| -h, --help | |
| help for all | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. | |
| --use-api | |
| Use the Kubernetes certificate API to renew certificates | |
Options inherited from parent commands
| --rootfs string | |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. | |
Generates the client apiserver uses to access etcd
Synopsis
Renews the client apiserver uses to access etcd, and saves them into apiserver-etcd-client.cert and apiserver-etcd-client.key files.
Extra attributes such as SANs will be based on the existing certificates, there is no need to resupply them.
kubeadm alpha certs renew apiserver-etcd-client [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" | |
| The path where to save the certificates | |
| --config string | |
| Path to a kubeadm configuration file. | |
| --csr-dir string | |
| The path to output the CSRs and private keys to | |
| --csr-only | |
| Create CSRs instead of generating certificates | |
| -h, --help | |
| help for apiserver-etcd-client | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. | |
| --use-api | |
| Use the Kubernetes certificate API to renew certificates | |
Options inherited from parent commands
| --rootfs string | |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. | |
Generates the Client certificate for the API server to connect to kubelet
Synopsis
Renews the Client certificate for the API server to connect to kubelet, and saves them into apiserver-kubelet-client.cert and apiserver-kubelet-client.key files.
Extra attributes such as SANs will be based on the existing certificates, there is no need to resupply them.
kubeadm alpha certs renew apiserver-kubelet-client [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" | |
| The path where to save the certificates | |
| --config string | |
| Path to a kubeadm configuration file. | |
| --csr-dir string | |
| The path to output the CSRs and private keys to | |
| --csr-only | |
| Create CSRs instead of generating certificates | |
| -h, --help | |
| help for apiserver-kubelet-client | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. | |
| --use-api | |
| Use the Kubernetes certificate API to renew certificates | |
Options inherited from parent commands
| --rootfs string | |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. | |
Generates the certificate for serving the Kubernetes API
Synopsis
Renews the certificate for serving the Kubernetes API, and saves them into apiserver.cert and apiserver.key files.
Extra attributes such as SANs will be based on the existing certificates, there is no need to resupply them.
kubeadm alpha certs renew apiserver [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" | |
| The path where to save the certificates | |
| --config string | |
| Path to a kubeadm configuration file. | |
| --csr-dir string | |
| The path to output the CSRs and private keys to | |
| --csr-only | |
| Create CSRs instead of generating certificates | |
| -h, --help | |
| help for apiserver | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. | |
| --use-api | |
| Use the Kubernetes certificate API to renew certificates | |
Options inherited from parent commands
| --rootfs string | |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. | |
Generates the client certificate for liveness probes to healtcheck etcd
Synopsis
Renews the client certificate for liveness probes to healtcheck etcd, and saves them into etcd/healthcheck-client.cert and etcd/healthcheck-client.key files.
Extra attributes such as SANs will be based on the existing certificates, there is no need to resupply them.
kubeadm alpha certs renew etcd-healthcheck-client [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" | |
| The path where to save the certificates | |
| --config string | |
| Path to a kubeadm configuration file. | |
| --csr-dir string | |
| The path to output the CSRs and private keys to | |
| --csr-only | |
| Create CSRs instead of generating certificates | |
| -h, --help | |
| help for etcd-healthcheck-client | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. | |
| --use-api | |
| Use the Kubernetes certificate API to renew certificates | |
Options inherited from parent commands
| --rootfs string | |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. | |
Generates the credentials for etcd nodes to communicate with each other
Synopsis
Renews the credentials for etcd nodes to communicate with each other, and saves them into etcd/peer.cert and etcd/peer.key files.
Extra attributes such as SANs will be based on the existing certificates, there is no need to resupply them.
kubeadm alpha certs renew etcd-peer [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" | |
| The path where to save the certificates | |
| --config string | |
| Path to a kubeadm configuration file. | |
| --csr-dir string | |
| The path to output the CSRs and private keys to | |
| --csr-only | |
| Create CSRs instead of generating certificates | |
| -h, --help | |
| help for etcd-peer | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. | |
| --use-api | |
| Use the Kubernetes certificate API to renew certificates | |
Options inherited from parent commands
| --rootfs string | |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. | |
Generates the certificate for serving etcd
Synopsis
Renews the certificate for serving etcd, and saves them into etcd/server.cert and etcd/server.key files.
Extra attributes such as SANs will be based on the existing certificates, there is no need to resupply them.
kubeadm alpha certs renew etcd-server [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" | |
| The path where to save the certificates | |
| --config string | |
| Path to a kubeadm configuration file. | |
| --csr-dir string | |
| The path to output the CSRs and private keys to | |
| --csr-only | |
| Create CSRs instead of generating certificates | |
| -h, --help | |
| help for etcd-server | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. | |
| --use-api | |
| Use the Kubernetes certificate API to renew certificates | |
Options inherited from parent commands
| --rootfs string | |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. | |
Generates the client for the front proxy
Synopsis
Renews the client for the front proxy, and saves them into front-proxy-client.cert and front-proxy-client.key files.
Extra attributes such as SANs will be based on the existing certificates, there is no need to resupply them.
kubeadm alpha certs renew front-proxy-client [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" | |
| The path where to save the certificates | |
| --config string | |
| Path to a kubeadm configuration file. | |
| --csr-dir string | |
| The path to output the CSRs and private keys to | |
| --csr-only | |
| Create CSRs instead of generating certificates | |
| -h, --help | |
| help for front-proxy-client | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. | |
| --use-api | |
| Use the Kubernetes certificate API to renew certificates | |
Options inherited from parent commands
| --rootfs string | |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. | |
kubeadm alpha kubeconfig user
The user subcommand can be used for the creation of kubeconfig files for additional users.
Kubeconfig file utilities
Synopsis
Kubeconfig file utilities.
Alpha Disclaimer: this command is currently alpha.
Options
| -h, --help | |
| help for kubeconfig | |
Options inherited from parent commands
| --rootfs string | |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. | |
Outputs a kubeconfig file for an additional user
Synopsis
Outputs a kubeconfig file for an additional user.
Alpha Disclaimer: this command is currently alpha.
kubeadm alpha kubeconfig user [flags]
Examples
# Outputs a kubeconfig file for an additional user named foo
kubeadm alpha kubeconfig user --client-name=foo
Options
| --apiserver-advertise-address string | |
| The IP address the API server is accessible on | |
| --apiserver-bind-port int32 Default: 6443 | |
| The port the API server is accessible on | |
| --cert-dir string Default: "/etc/kubernetes/pki" | |
| The path where certificates are stored | |
| --client-name string | |
| The name of user. It will be used as the CN if client certificates are created | |
| -h, --help | |
| help for user | |
| --org stringSlice | |
| The orgnizations of the client certificate. It will be used as the O if client certificates are created | |
| --token string | |
| The token that should be used as the authentication mechanism for this kubeconfig, instead of client certificates | |
Options inherited from parent commands
| --rootfs string | |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. | |
kubeadm alpha kubelet config
Use the following commands to either download the kubelet configuration from the cluster or to enable the DynamicKubeletConfiguration feature.
Commands related to handling the kubelet
Synopsis
This command is not meant to be run on its own. See list of available subcommands.
Options
| -h, --help | |
| help for kubelet | |
Options inherited from parent commands
| --rootfs string | |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. | |
Downloads the kubelet configuration from the cluster ConfigMap kubelet-config-1.X, where X is the minor version of the kubelet.
Synopsis
Downloads the kubelet configuration from a ConfigMap of the form “kubelet-config-1.X” in the cluster, where X is the minor version of the kubelet. Either kubeadm autodetects the kubelet version by exec-ing “kubelet –version” or respects the –kubelet-version parameter.
Alpha Disclaimer: this command is currently alpha.
kubeadm alpha kubelet config download [flags]
Examples
# Downloads the kubelet configuration from the ConfigMap in the cluster. Autodetects the kubelet version.
kubeadm alpha phase kubelet config download
# Downloads the kubelet configuration from the ConfigMap in the cluster. Uses a specific desired kubelet version.
kubeadm alpha phase kubelet config download --kubelet-version v1.12.0
Options
| -h, --help | |
| help for download | |
| --kubeconfig string Default: "/etc/kubernetes/kubelet.conf" | |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. | |
| --kubelet-version string | |
| The desired version for the kubelet. Defaults to being autodetected from 'kubelet --version'. | |
Options inherited from parent commands
| --rootfs string | |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. | |
Downloads the kubelet configuration from the cluster ConfigMap kubelet-config-1.X, where X is the minor version of the kubelet.
Synopsis
Downloads the kubelet configuration from a ConfigMap of the form “kubelet-config-1.X” in the cluster, where X is the minor version of the kubelet. Either kubeadm autodetects the kubelet version by exec-ing “kubelet –version” or respects the –kubelet-version parameter.
Alpha Disclaimer: this command is currently alpha.
kubeadm alpha kubelet config download [flags]
Examples
# Downloads the kubelet configuration from the ConfigMap in the cluster. Autodetects the kubelet version.
kubeadm alpha phase kubelet config download
# Downloads the kubelet configuration from the ConfigMap in the cluster. Uses a specific desired kubelet version.
kubeadm alpha phase kubelet config download --kubelet-version v1.12.0
Options
| -h, --help | |
| help for download | |
| --kubeconfig string Default: "/etc/kubernetes/kubelet.conf" | |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. | |
| --kubelet-version string | |
| The desired version for the kubelet. Defaults to being autodetected from 'kubelet --version'. | |
Options inherited from parent commands
| --rootfs string | |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. | |
kubeadm alpha selfhosting pivot
The subcommand pivot can be used to conver a static Pod-hosted control plane into a self-hosted one.
Makes a kubeadm cluster self-hosted
Synopsis
This command is not meant to be run on its own. See list of available subcommands.
Options
| -h, --help | |
| help for selfhosting | |
Options inherited from parent commands
| --rootfs string | |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. | |
Converts a static Pod-hosted control plane into a self-hosted one
Synopsis
Converts static Pod files for control plane components into self-hosted DaemonSets configured via the Kubernetes API.
See the documentation for self-hosting limitations.
Alpha Disclaimer: this command is currently alpha.
kubeadm alpha selfhosting pivot [flags]
Examples
# Converts a static Pod-hosted control plane into a self-hosted one.
kubeadm alpha phase self-hosting convert-from-staticpods
Options
| --cert-dir string Default: "/etc/kubernetes/pki" | |
| The path where certificates are stored | |
| --config string | |
| Path to a kubeadm config file. WARNING: Usage of a configuration file is experimental | |
| -f, --force | |
| Pivot the cluster without prompting for confirmation | |
| -h, --help | |
| help for pivot | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations are searched for an existing KubeConfig file. | |
| -s, --store-certs-in-secrets | |
| Enable storing certs in secrets | |
Options inherited from parent commands
| --rootfs string | |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. | |
What’s next
- kubeadm init to bootstrap a Kubernetes control-plane node
- kubeadm join to connect a node to the cluster
- kubeadm reset to revert any changes made to this host by
kubeadm initorkubeadm join
Feedback
Was this page helpful?
Thanks for the feedback. If you have a specific, answerable question about how to use Kubernetes, ask it on Stack Overflow. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.