How do I find the join command for kubeadm on the master?

Question

I've lost the original 'kubeadm join' command when I previously ran kubeadm init.

How can I retrieve this value again?

Answer 1

kubeadm token create --print-join-command

Answer 2

To print a join command for a new worker node use:

• kubeadm token create --print-join-command

But if you need to join a new control plane node, you need to recreate a new key for the control plane join command. This can be done with three simple steps:

1. Re upload certificates in the already working master node with kubeadm init phase upload-certs --upload-certs. That will generate a new certificate key.

2. Print join command in the already working master node with kubeadm token create --print-join-command.

3. Join a new control plane node with $JOIN_COMMAND_FROM_STEP2 --control-plane --certificate-key $KEY_FROM_STEP1.

This might not work for the old Kubernetes versions but I tried with the new version and it worked for me.

Answer 3

To create kubeadm join command, please run the following commands:

Step 1 - Retrieve Token CA Hash:

openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt \
    | openssl rsa -pubin -outform der 2>/dev/null \
    | openssl dgst -sha256 -hex \
    | sed 's/^.* //'

This command will provide you public key.

Step 2 - Retrieve bootstrap Tokens:

kubeadm token list

This will print all tokens, so copy the token value under TOKEN with the description "The default bootstrap token generated by kubeadm init."

Step 3 - Creates kubeadm init command:

Now use following syntax to create join command without creating a new token:

kubeadm join <ip-address>:6443\
    --token=<token-from-step-2> \
    --discovery-token-ca-cert-hash sha256:<ca-hash-from-step-1>

kubeadm token create command creates a new token, in this case without any description, so for you not to create any additional tokens, just pick the token which has a DESCRIPTION as mentioned in Step 2.

Answer 4

Run the below command on your master node machine.

kubeadm token create --print-join-command

This command will generate the new token as well as the join command which you can use at your worker node to join the cluster.

Answer 5

Building off @Abhishek Jain's answer, here's a script to print the kubeadm join command with a little help from jq:

# get the join command from the kube master
CERT_HASH=$(openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt \
| openssl rsa -pubin -outform der 2>/dev/null \
| openssl dgst -sha256 -hex \
| sed 's/^.* //')
TOKEN=$(kubeadm token list -o json | jq -r '.token' | head -1)
IP=$(kubectl get nodes -lnode-role.kubernetes.io/master -o json \
| jq -r '.items[0].status.addresses[] | select(.type=="InternalIP") | .address')
PORT=6443
echo "sudo kubeadm join $IP:$PORT \
--token=$TOKEN --discovery-token-ca-cert-hash sha256:$CERT_HASH"

Answer 6

If you are joining control plane nodes, you will need a certificate key in the command too:

kubeadm token create \
--print-join-command \
--certificate-key \
$(kubeadm alpha certs certificate-key)

The kubeadm alpha certs certificate-key command will generate a new certificate key on demand as per the documentation here

To Join a worker node, the command kubeadm token create --print-join-command given in the accepted answer is sufficient

Answer 7

Here is a bash script that automate this task

read -p 'master ip address : ' ipaddr
sha_token = "$(openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //')"
token = "$(kubeadm token list | awk '{print $1}' | sed -n '2 p')"
echo "kubeadm join $ipaddr:6443 --token=$token --discovery-token-ca-cert-hash sha256:$sha_token"