Run this on any machine you wish to join an existing cluster
When joining a kubeadm initialized cluster, we need to establish bidirectional trust. This is split into discovery (having the Node trust the Kubernetes Master) and TLS bootstrap (having the Kubernetes Master trust the Node).
There are 2 main schemes for discovery. The first is to use a shared token along with the IP address of the API server. The second is to provide a file - a subset of the standard kubeconfig file. This file can be a local file or downloaded via an HTTPS URL. The forms are kubeadm join –discovery-token abcdef.1234567890abcdef 1.2.3.4:6443, kubeadm join –discovery-file path/to/file.conf, or kubeadm join –discovery-file https://url/file.conf. Only one form can be used. If the discovery information is loaded from a URL, HTTPS must be used. Also, in that case the host installed CA bundle is used to verify the connection.
If you use a shared token for discovery, you should also pass the
–discovery-token-ca-cert-hash flag to validate the public key of the
root certificate authority (CA) presented by the Kubernetes Master. The
value of this flag is specified as “
If you cannot know the CA public key hash ahead of time, you can pass the –discovery-token-unsafe-skip-ca-verification flag to disable this verification. This weakens the kubeadm security model since other nodes can potentially impersonate the Kubernetes Master.
The TLS bootstrap mechanism is also driven via a shared token. This is used to temporarily authenticate with the Kubernetes Master to submit a certificate signing request (CSR) for a locally created key pair. By default, kubeadm will set up the Kubernetes Master to automatically approve these signing requests. This token is passed in with the –tls-bootstrap-token abcdef.1234567890abcdef flag.
Often times the same token is used for both parts. In this case, the –token flag can be used instead of specifying each token individually.
kubeadm join [flags]
--config string Path to kubeadm config file.
--cri-socket string Specify the CRI socket to connect to. (default "/var/run/dockershim.sock")
--discovery-file string A file or url from which to load cluster information.
--discovery-token string A token used to validate cluster information fetched from the master.
--discovery-token-ca-cert-hash stringSlice For token-based discovery, validate that the root CA public key matches this hash (format: "<type>:<value>").
--discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.
--feature-gates string A set of key=value pairs that describe feature gates for various features. Options are:
CoreDNS=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (ALPHA - default=false)
HighAvailability=true|false (ALPHA - default=false)
SelfHosting=true|false (BETA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false)
SupportIPVSProxyMode=true|false (ALPHA - default=false)
--ignore-checks-errors stringSlice A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
--node-name string Specify the node name.
--tls-bootstrap-token string A token used for TLS bootstrapping.
--token string Use this token for both discovery-token and tls-bootstrap-token.
kubeadm join
bootstraps a Kubernetes worker node and joins it to the cluster.
This action consists of the following steps:
kubeadm downloads necessary cluster information from the API server. By default, it uses the bootstrap token and the CA key hash to verify the authenticity of that data. The root CA can also be discovered directly via a file or URL.
If kubeadm is invoked with --feature-gates=DynamicKubeletConfig
enabled,
it first retrieves the kubelet init configuration from the master and writes it to
the disk. When kubelet starts up, kubeadm updates the node Node.spec.configSource
property of the node.
See Set Kubelet parameters via a config file
and Reconfigure a Node’s Kubelet in a Live Cluster
for more information about Dynamic Kubelet Configuration.
Once the cluster information is known, kubelet can start the TLS bootstrapping process.
The TLS bootstrap uses the shared token to temporarily authenticate with the Kubernetes API server to submit a certificate signing request (CSR); by default the control plane signs this CSR request automatically.
Finally, kubeadm configures the local kubelet to connect to the API server with the definitive identity assigned to the node.
The kubeadm discovery has several options, each with security tradeoffs. The right method for your environment depends on how you provision nodes and the security expectations you have about your network and node lifecycles.
This is the default mode in Kubernetes 1.8 and above. In this mode, kubeadm downloads the cluster configuration (including root CA) and validates it using the token as well as validating that the root CA public key matches the provided hash and that the API server certificate is valid under the root CA.
The CA key hash has the format sha256:<hex_encoded_hash>
. By default, the hash value is returned in the kubeadm join
command printed at the end of kubeadm init
or in the output of kubeadm token create --print-join-command
. It is in a standard format (see RFC7469) and can also be calculated by 3rd party tools or provisioning systems. For example, using the OpenSSL CLI:
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
Example kubeadm join
command:
kubeadm join --discovery-token abcdef.1234567890abcdef --discovery-token-ca-cert-hash sha256:1234..cdef 1.2.3.4:6443
Advantages:
Allows bootstrapping nodes to securely discover a root of trust for the master even if other worker nodes or the network are compromised.
Convenient to execute manually since all of the information required fits
into a single kubeadm join
command that is easy to copy and paste.
Disadvantages:
This was the default in Kubernetes 1.7 and earlier, but comes with some
important caveats. This mode relies only on the symmetric token to sign
(HMAC-SHA256) the discovery information that establishes the root of trust for
the master. It’s still possible in Kubernetes 1.8 and above using the
--discovery-token-unsafe-skip-ca-verification
flag, but you should consider
using one of the other modes if possible.
Example kubeadm join
command:
kubeadm join --token abcdef.1234567890abcdef --discovery-token-unsafe-skip-ca-verification 1.2.3.4:6443`
Advantages:
Still protects against many network-level attacks.
The token can be generated ahead of time and shared with the master and worker nodes, which can then bootstrap in parallel without coordination. This allows it to be used in many provisioning scenarios.
Disadvantages:
This provides an out-of-band way to establish a root of trust between the master and bootstrapping nodes. Consider using this mode if you are building automated provisioning using kubeadm.
Example kubeadm join
commands:
kubeadm join --discovery-file path/to/file.conf
(local file)
kubeadm join --discovery-file https://url/file.conf
(remote HTTPS URL)
Advantages:
Disadvantages:
The defaults for kubeadm may not work for everyone. This section documents how to tighten up a kubeadm installation at the cost of some usability.
By default, there is a CSR auto-approver enabled that basically approves any client certificate request for a kubelet when a Bootstrap Token was used when authenticating. If you don’t want the cluster to automatically approve kubelet client certs, you can turn it off by executing this command:
$ kubectl delete clusterrole kubeadm:node-autoapprove-bootstrap
After that, kubeadm join
will block until the admin has manually approved the CSR in flight:
$ kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ 18s system:bootstrap:878f07 Pending
$ kubectl certificate approve node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ
certificatesigningrequest "node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ" approved
$ kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ 1m system:bootstrap:878f07 Approved,Issued
Only after kubectl certificate approve
has been run, kubeadm join
can proceed.
In order to achieve the joining flow using the token as the only piece of validation information, a
ConfigMap with some data needed for validation of the master’s identity is exposed publicly by
default. While there is no private data in this ConfigMap, some users might wish to turn
it off regardless. Doing so will disable the ability to use the --discovery-token
flag of the
kubeadm join
flow. Here are the steps to do so:
cluster-info
file from the API Server:$ kubectl -n kube-public get cm cluster-info -o yaml | grep "kubeconfig:" -A11 | grep "apiVersion" -A10 | sed "s/ //" | tee cluster-info.yaml
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: <ca-cert>
server: https://<ip>:<port>
name: ""
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
Use the cluster-info.yaml
file as an argument to kubeadm join --discovery-file
.
Turn off public access to the cluster-info
ConfigMap:
$ kubectl -n kube-public delete rolebinding kubeadm:bootstrap-signer-clusterinfo
These commands should be run after kubeadm init
but before kubeadm join
.
Caution: The config file is still considered alpha and may change in future versions.
It’s possible to configure kubeadm join
with a configuration file instead of command
line flags, and some more advanced features may only be available as
configuration file options. This file is passed in the --config
option.
apiVersion: kubeadm.k8s.io/v1alpha1
kind: NodeConfiguration
caCertPath: <path|string>
discoveryFile: <path|string>
discoveryToken: <string>
discoveryTokenAPIServers:
- <address|string>
- <address|string>
nodeName: <string>
tlsBootstrapToken: <string>
token: <string>
discoveryTokenCACertHashes:
- <SHA-256 hash|string>
- <SHA-256 hash|string>
discoveryTokenUnsafeSkipCAVerification: <bool>
kubeadm join
kubeadm init
or kubeadm join