In v1.14.0, kubeadm introduces the kubeadm join phase
command with the aim of making kubeadm more modular. This modularity enables you to invoke atomic sub-steps of the join process.
Hence, you can let kubeadm do some parts and fill in yourself where you need customizations.
kubeadm join phase
is consistent with the kubeadm join workflow,
and behind the scene both use the same code.
use this command to invoke single phase of the join workflow
use this command to invoke single phase of the join workflow
-h, --help help for phase
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
Using this phase you can execute preflight checks on a joining node.
Run join pre-flight checks
Run pre-flight checks for kubeadm join.
kubeadm join phase preflight [api-server-endpoint] [flags]
# Run join pre-flight checks using a config file.
kubeadm join phase preflight --config kubeadm-config.yml
--apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
--apiserver-bind-port int32 If the node should host a new control plane instance, the port for the API Server to bind to. (default 6443)
--certificate-key string Use this key to decrypt the certificate secrets uploaded by init.
--config string Path to kubeadm config file.
--cri-socket string Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket.
--discovery-file string For file-based discovery, a file or URL from which to load cluster information.
--discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server.
--discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: "<type>:<value>").
--discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.
--experimental-control-plane Create a new control plane instance on this node
-h, --help help for preflight
--ignore-preflight-errors strings A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
--node-name string Specify the node name.
--tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.
--token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
Using this phase you can prepare a node for serving a control-plane.
Prepares the machine for serving a control plane.
Prepares the machine for serving a control plane.
kubeadm join phase control-plane-prepare [flags]
# Prepares the machine for serving a control plane
kubeadm join phase control-plane-prepare all
-h, --help help for control-plane-prepare
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
Prepares the machine for serving a control plane.
Prepares the machine for serving a control plane.
kubeadm join phase control-plane-prepare all [api-server-endpoint] [flags]
--apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
--apiserver-bind-port int32 If the node should host a new control plane instance, the port for the API Server to bind to. (default 6443)
--certificate-key string Use this key to decrypt the certificate secrets uploaded by init.
--config string Path to kubeadm config file.
--discovery-file string For file-based discovery, a file or URL from which to load cluster information.
--discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server.
--discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: "<type>:<value>").
--discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.
--experimental-control-plane Create a new control plane instance on this node
-h, --help help for all
--node-name string Specify the node name.
--tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.
--token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
[EXPERIMENTAL] Downloads certificates shared among control-plane nodes from the kubeadm-certs Secret
[EXPERIMENTAL] Downloads certificates shared among control-plane nodes from the kubeadm-certs Secret
kubeadm join phase control-plane-prepare download-certs [api-server-endpoint] [flags]
--certificate-key string Use this key to decrypt the certificate secrets uploaded by init.
--config string Path to kubeadm config file.
--discovery-file string For file-based discovery, a file or URL from which to load cluster information.
--discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server.
--discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: "<type>:<value>").
--discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.
--experimental-control-plane Create a new control plane instance on this node
-h, --help help for download-certs
--tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.
--token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
Generates the certificates for the new control plane components
Generates the certificates for the new control plane components
kubeadm join phase control-plane-prepare certs [api-server-endpoint] [flags]
--apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
--config string Path to kubeadm config file.
--discovery-file string For file-based discovery, a file or URL from which to load cluster information.
--discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server.
--discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: "<type>:<value>").
--discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.
--experimental-control-plane Create a new control plane instance on this node
-h, --help help for certs
--node-name string Specify the node name.
--tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.
--token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
Generates the kubeconfig for the new control plane components
Generates the kubeconfig for the new control plane components
kubeadm join phase control-plane-prepare kubeconfig [api-server-endpoint] [flags]
--certificate-key string Use this key to decrypt the certificate secrets uploaded by init.
--config string Path to kubeadm config file.
--discovery-file string For file-based discovery, a file or URL from which to load cluster information.
--discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server.
--discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: "<type>:<value>").
--discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.
--experimental-control-plane Create a new control plane instance on this node
-h, --help help for kubeconfig
--tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.
--token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
Generates the manifests for the new control plane components
Generates the manifests for the new control plane components
kubeadm join phase control-plane-prepare control-plane [flags]
--apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
--apiserver-bind-port int32 If the node should host a new control plane instance, the port for the API Server to bind to. (default 6443)
--config string Path to kubeadm config file.
--experimental-control-plane Create a new control plane instance on this node
-h, --help help for control-plane
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
Using this phase you can write the kubelet settings, certificates and (re)start the kubelet.
Writes kubelet settings, certificates and (re)starts the kubelet
Writes a file with KubeletConfiguration and an environment file with node specific kubelet settings, and then (re)starts kubelet.
kubeadm join phase kubelet-start [api-server-endpoint] [flags]
--config string Path to kubeadm config file.
--cri-socket string Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket.
--discovery-file string For file-based discovery, a file or URL from which to load cluster information.
--discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server.
--discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: "<type>:<value>").
--discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.
-h, --help help for kubelet-start
--node-name string Specify the node name.
--tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.
--token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
Using this phase you can join a node as a control-plane instance.
Joins a machine as a control plane instance
Joins a machine as a control plane instance
kubeadm join phase control-plane-join [flags]
# Joins a machine as a control plane instance
kubeadm join phase control-plane-join all
-h, --help help for control-plane-join
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
Joins a machine as a control plane instance
Joins a machine as a control plane instance
kubeadm join phase control-plane-join all [flags]
--apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
--config string Path to kubeadm config file.
--experimental-control-plane Create a new control plane instance on this node
-h, --help help for all
--node-name string Specify the node name.
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
Add a new local etcd member
Add a new local etcd member
kubeadm join phase control-plane-join etcd [flags]
--apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
--config string Path to kubeadm config file.
--experimental-control-plane Create a new control plane instance on this node
-h, --help help for etcd
--node-name string Specify the node name.
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap
Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap
kubeadm join phase control-plane-join update-status [flags]
--apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
--config string Path to kubeadm config file.
--experimental-control-plane Create a new control plane instance on this node
-h, --help help for update-status
--node-name string Specify the node name.
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
Mark a node as a control-plane
Mark a node as a control-plane
kubeadm join phase control-plane-join mark-control-plane [flags]
--config string Path to kubeadm config file.
--experimental-control-plane Create a new control plane instance on this node
-h, --help help for mark-control-plane
--node-name string Specify the node name.
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
kubeadm init
or kubeadm join
Was this page helpful?
Thanks for the feedback. If you have a specific, answerable question about how to use Kubernetes, ask it on Stack Overflow. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.