- kubeadm init
- Synopsis
- Options
- Options inherited from parent commands
- Init workflow
- Using init phases with kubeadm
- Using kubeadm init with a configuration file
- Adding kube-proxy parameters
- Passing custom flags to control plane components
- Using custom images
- Uploading control-plane certificates to the cluster
- Certificate management with kubeadm
- Managing the kubeadm drop-in file for the kubelet
- Use kubeadm with CRI runtimes
- Setting the node name
- Running kubeadm without an internet connection
- Automating kubeadm
- What’s next
kubeadm init
This command initializes a Kubernetes control-plane node.
Synopsis
Run this command in order to set up the Kubernetes control plane
The “init” command executes the following phases:
preflight Run pre-flight checks
certs Certificate generation
/ca Generate the self-signed Kubernetes CA to provision identities for other Kubernetes components
/apiserver Generate the certificate for serving the Kubernetes API
/apiserver-kubelet-client Generate the certificate for the API server to connect to kubelet
/front-proxy-ca Generate the self-signed CA to provision identities for front proxy
/front-proxy-client Generate the certificate for the front proxy client
/etcd-ca Generate the self-signed CA to provision identities for etcd
/etcd-server Generate the certificate for serving etcd
/etcd-peer Generate the certificate for etcd nodes to communicate with each other
/etcd-healthcheck-client Generate the certificate for liveness probes to healthcheck etcd
/apiserver-etcd-client Generate the certificate the apiserver uses to access etcd
/sa Generate a private key for signing service account tokens along with its public key
kubeconfig Generate all kubeconfig files necessary to establish the control plane and the admin kubeconfig file
/admin Generate a kubeconfig file for the admin to use and for kubeadm itself
/kubelet Generate a kubeconfig file for the kubelet to use *only* for cluster bootstrapping purposes
/controller-manager Generate a kubeconfig file for the controller manager to use
/scheduler Generate a kubeconfig file for the scheduler to use
kubelet-start Write kubelet settings and (re)start the kubelet
control-plane Generate all static Pod manifest files necessary to establish the control plane
/apiserver Generates the kube-apiserver static Pod manifest
/controller-manager Generates the kube-controller-manager static Pod manifest
/scheduler Generates the kube-scheduler static Pod manifest
etcd Generate static Pod manifest file for local etcd
/local Generate the static Pod manifest file for a local, single-node local etcd instance
upload-config Upload the kubeadm and kubelet configuration to a ConfigMap
/kubeadm Upload the kubeadm ClusterConfiguration to a ConfigMap
/kubelet Upload the kubelet component config to a ConfigMap
upload-certs Upload certificates to kubeadm-certs
mark-control-plane Mark a node as a control-plane
bootstrap-token Generates bootstrap tokens used to join a node to a cluster
kubelet-finalize Updates settings relevant to the kubelet after TLS bootstrap
/experimental-cert-rotation Enable kubelet client certificate rotation
addon Install required addons for passing Conformance tests
/coredns Install the CoreDNS addon to a Kubernetes cluster
/kube-proxy Install the kube-proxy addon to a Kubernetes cluster
kubeadm init [flags]
Options
—apiserver-advertise-address string | |
The IP address the API Server will advertise it’s listening on. If not set the default network interface will be used. | |
—apiserver-bind-port int32 Default: 6443 | |
Port for the API Server to bind to. | |
—apiserver-cert-extra-sans stringSlice | |
Optional extra Subject Alternative Names (SANs) to use for the API Server serving certificate. Can be both IP addresses and DNS names. | |
—cert-dir string Default: “/etc/kubernetes/pki” | |
The path where to save and store the certificates. | |
—certificate-key string | |
Key used to encrypt the control-plane certificates in the kubeadm-certs Secret. | |
—config string | |
Path to a kubeadm configuration file. | |
—control-plane-endpoint string | |
Specify a stable IP address or DNS name for the control plane. | |
—cri-socket string | |
Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket. | |
—dry-run | |
Don’t apply any changes; just output what would be done. | |
—experimental-patches string | |
Path to a directory that contains files named “target[suffix][+patchtype].extension”. For example, “kube-apiserver0+merge.yaml” or just “etcd.json”. “patchtype” can be one of “strategic”, “merge” or “json” and they match the patch formats supported by kubectl. The default “patchtype” is “strategic”. “extension” must be either “json” or “yaml”. “suffix” is an optional string that can be used to determine which patches are applied first alpha-numerically. | |
—feature-gates string | |
A set of key=value pairs that describe feature gates for various features. Options are: IPv6DualStack=true|false (ALPHA - default=false) PublicKeysECDSA=true|false (ALPHA - default=false) | |
-h, —help | |
help for init | |
—ignore-preflight-errors stringSlice | |
A list of checks whose errors will be shown as warnings. Example: ‘IsPrivilegedUser,Swap’. Value ‘all’ ignores errors from all checks. | |
—image-repository string Default: “k8s.gcr.io” | |
Choose a container registry to pull control plane images from | |
—kubernetes-version string Default: “stable-1” | |
Choose a specific Kubernetes version for the control plane. | |
—node-name string | |
Specify the node name. | |
—pod-network-cidr string | |
Specify range of IP addresses for the pod network. If set, the control plane will automatically allocate CIDRs for every node. | |
—service-cidr string Default: “10.96.0.0/12” | |
Use alternative range of IP address for service VIPs. | |
—service-dns-domain string Default: “cluster.local” | |
Use alternative domain for services, e.g. “myorg.internal”. | |
—skip-certificate-key-print | |
Don’t print the key used to encrypt the control-plane certificates. | |
—skip-phases stringSlice | |
List of phases to be skipped | |
—skip-token-print | |
Skip printing of the default bootstrap token generated by ‘kubeadm init’. | |
—token string | |
The token to use for establishing bidirectional trust between nodes and control-plane nodes. The format is [a-z0-9]{6}.[a-z0-9]{16} - e.g. abcdef.0123456789abcdef | |
—token-ttl duration Default: 24h0m0s | |
The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to ‘0’, the token will never expire | |
—upload-certs | |
Upload control-plane certificates to the kubeadm-certs Secret. |
Options inherited from parent commands
—rootfs string | |
[EXPERIMENTAL] The path to the ‘real’ host root filesystem. |
Init workflow
kubeadm init
bootstraps a Kubernetes control-plane node by executing the following steps:
Runs a series of pre-flight checks to validate the system state before making changes. Some checks only trigger warnings, others are considered errors and will exit kubeadm until the problem is corrected or the user specifies
--ignore-preflight-errors=<list-of-errors>
.Generates a self-signed CA to set up identities for each component in the cluster. The user can provide their own CA cert and/or key by dropping it in the cert directory configured via
--cert-dir
(/etc/kubernetes/pki
by default). The APIServer certs will have additional SAN entries for any--apiserver-cert-extra-sans
arguments, lowercased if necessary.Writes kubeconfig files in
/etc/kubernetes/
for the kubelet, the controller-manager and the scheduler to use to connect to the API server, each with its own identity, as well as an additional kubeconfig file for administration namedadmin.conf
.Generates static Pod manifests for the API server, controller-manager and scheduler. In case an external etcd is not provided, an additional static Pod manifest is generated for etcd.
Static Pod manifests are written to
/etc/kubernetes/manifests
; the kubelet watches this directory for Pods to create on startup.Once control plane Pods are up and running, the
kubeadm init
sequence can continue.Apply labels and taints to the control-plane node so that no additional workloads will run there.
Generates the token that additional nodes can use to register themselves with a control-plane in the future. Optionally, the user can provide a token via
--token
, as described in the kubeadm token docs.Makes all the necessary configurations for allowing node joining with the Bootstrap Tokens and TLS Bootstrap mechanism:
Write a ConfigMap for making available all the information required for joining, and set up related RBAC access rules.
Let Bootstrap Tokens access the CSR signing API.
Configure auto-approval for new CSR requests.
See kubeadm join for additional info.
Installs a DNS server (CoreDNS) and the kube-proxy addon components via the API server. In Kubernetes version 1.11 and later CoreDNS is the default DNS server. To install kube-dns instead of CoreDNS, the DNS addon has to be configured in the kubeadm
ClusterConfiguration
. For more information about the configuration see the sectionUsing kubeadm init with a configuration file
below. Please note that although the DNS server is deployed, it will not be scheduled until CNI is installed.Warning: kube-dns usage with kubeadm is deprecated as of v1.18 and will be removed in a future release.
Using init phases with kubeadm
Kubeadm allows you to create a control-plane node in phases using the kubeadm init phase
command.
To view the ordered list of phases and sub-phases you can call kubeadm init --help
. The list will be located at the top of the help screen and each phase will have a description next to it. Note that by calling kubeadm init
all of the phases and sub-phases will be executed in this exact order.
Some phases have unique flags, so if you want to have a look at the list of available options add --help
, for example:
sudo kubeadm init phase control-plane controller-manager --help
You can also use --help
to see the list of sub-phases for a certain parent phase:
sudo kubeadm init phase control-plane --help
kubeadm init
also exposes a flag called --skip-phases
that can be used to skip certain phases. The flag accepts a list of phase names and the names can be taken from the above ordered list.
An example:
sudo kubeadm init phase control-plane all --config=configfile.yaml
sudo kubeadm init phase etcd local --config=configfile.yaml
# you can now modify the control plane and etcd manifest files
sudo kubeadm init --skip-phases=control-plane,etcd --config=configfile.yaml
What this example would do is write the manifest files for the control plane and etcd in /etc/kubernetes/manifests
based on the configuration in configfile.yaml
. This allows you to modify the files and then skip these phases using --skip-phases
. By calling the last command you will create a control plane node with the custom manifest files.
Using kubeadm init with a configuration file
Caution: The config file is still considered beta and may change in future versions.
It’s possible to configure kubeadm init
with a configuration file instead of command line flags, and some more advanced features may only be available as configuration file options. This file is passed using the --config
flag and it must contain a ClusterConfiguration
structure and optionally more structures separated by ---\n
Mixing --config
with others flags may not be allowed in some cases.
The default configuration can be printed out using the kubeadm config print command.
If your configuration is not using the latest version it is recommended that you migrate using the kubeadm config migrate command.
For more information on the fields and usage of the configuration you can navigate to our API reference page and pick a version from the list.
Adding kube-proxy parameters
For information about kube-proxy parameters in the kubeadm configuration see:
For information about enabling IPVS mode with kubeadm see:
Passing custom flags to control plane components
For information about passing flags to control plane components see:
Using custom images
By default, kubeadm pulls images from k8s.gcr.io
. If the requested Kubernetes version is a CI label (such as ci/latest
) gcr.io/kubernetes-ci-images
is used.
You can override this behavior by using kubeadm with a configuration file. Allowed customization are:
- To provide an alternative
imageRepository
to be used instead ofk8s.gcr.io
. - To set
useHyperKubeImage
totrue
to use the HyperKube image. - To provide a specific
imageRepository
andimageTag
for etcd or DNS add-on.
Please note that the configuration field kubernetesVersion
or the command line flag --kubernetes-version
affect the version of the images.
Uploading control-plane certificates to the cluster
By adding the flag --upload-certs
to kubeadm init
you can temporary upload the control-plane certificates to a Secret in the cluster. Please note that this Secret will expire automatically after 2 hours. The certificates are encrypted using a 32byte key that can be specified using --certificate-key
. The same key can be used to download the certificates when additional control-plane nodes are joining, by passing --control-plane
and --certificate-key
to kubeadm join
.
The following phase command can be used to re-upload the certificates after expiration:
kubeadm init phase upload-certs --upload-certs --certificate-key=SOME_VALUE --config=SOME_YAML_FILE
If the flag --certificate-key
is not passed to kubeadm init
and kubeadm init phase upload-certs
a new key will be generated automatically.
The following command can be used to generate a new key on demand:
kubeadm certs certificate-key
Certificate management with kubeadm
For detailed information on certificate management with kubeadm see Certificate Management with kubeadm. The document includes information about using external CA, custom certificates and certificate renewal.
Managing the kubeadm drop-in file for the kubelet
The kubeadm
package ships with a configuration file for running the kubelet
by systemd
. Note that the kubeadm CLI never touches this drop-in file. This drop-in file is part of the kubeadm DEB/RPM package.
For further information, see Managing the kubeadm drop-in file for systemd.
Use kubeadm with CRI runtimes
By default kubeadm attempts to detect your container runtime. For more details on this detection, see the kubeadm CRI installation guide.
Setting the node name
By default, kubeadm
assigns a node name based on a machine’s host address. You can override this setting with the --node-name
flag. The flag passes the appropriate --hostname-override
value to the kubelet.
Be aware that overriding the hostname can interfere with cloud providers.
Running kubeadm without an internet connection
For running kubeadm without an internet connection you have to pre-pull the required control-plane images.
You can list and pull the images using the kubeadm config images
sub-command:
kubeadm config images list
kubeadm config images pull
All images that kubeadm requires such as k8s.gcr.io/kube-*
, k8s.gcr.io/etcd
and k8s.gcr.io/pause
support multiple architectures.
Automating kubeadm
Rather than copying the token you obtained from kubeadm init
to each node, as in the basic kubeadm tutorial, you can parallelize the token distribution for easier automation. To implement this automation, you must know the IP address that the control-plane node will have after it is started, or use a DNS name or an address of a load balancer.
Generate a token. This token must have the form
<6 character string>.<16 character string>
. More formally, it must match the regex:[a-z0-9]{6}\.[a-z0-9]{16}
.kubeadm can generate a token for you:
kubeadm token generate
Start both the control-plane node and the worker nodes concurrently with this token. As they come up they should find each other and form the cluster. The same
--token
argument can be used on bothkubeadm init
andkubeadm join
.Similar can be done for
--certificate-key
when joining additional control-plane nodes. The key can be generated using:kubeadm certs certificate-key
Once the cluster is up, you can grab the admin credentials from the control-plane node at /etc/kubernetes/admin.conf
and use that to talk to the cluster.
Note that this style of bootstrap has some relaxed security guarantees because it does not allow the root CA hash to be validated with --discovery-token-ca-cert-hash
(since it’s not generated when the nodes are provisioned). For details, see the kubeadm join.
What’s next
- kubeadm init phase to understand more about
kubeadm init
phases - kubeadm join to bootstrap a Kubernetes worker node and join it to the cluster
- kubeadm upgrade to upgrade a Kubernetes cluster to a newer version
- kubeadm reset to revert any changes made to this host by
kubeadm init
orkubeadm join