Results from the 2022 Developer Survey are here.

How to generate kubeadm token for secondary control

plane node(s)
Asked 1 year, 9 months ago Modified 2 months ago Viewed 5k times

When we launch a master prime node the node creates tokens for worker and master
nodes with a ttl.
4
According to documentation kubeadm token (I also have tested and it works) we can issue
a command and get a new token (with default ttl 24h):

kubeadm token create --print-join-command

I am trying to figure out if I want to add a new plane node (secondary master) how can I
create a relevant token?

I tried passing some flags e.g.:

kubeadm token create --print-join-command --control-plane

but it fails (of course) since this flag is not recognized.

I found also through the documentation that we can do it with a direct link to config file
e.g. ref kubeadm-join/file or https based discovery:

kubeadm join --discovery-file path/to/file.conf # (local file)

kubeadm join --discovery-file https://url/file.conf # (remote HTTPS URL)

In my case I do not have a local conf file or planning to use a url link.

Is there any other way to create a new token using a command for plane nodes and not
worker nodes?

kubernetes token kubectl

Share Follow edited Sep 17, 2020 at 14:43 asked Sep 17, 2020 at 10:38
Arghya Sadhu Thanos
35.6k 9 63 81 1,346 3 22 39

Sorted by:
6 Answers Trending sort available
Highest score (default)
 You need to run on master

6 kubeadm init phase upload-certs --upload-certs

Remember the output.

Then you need to run on master

kubeadm token create --print-join-command

Then compose joining command for joinning-master-node from this output and add to it
--control-plane --certificate-key xxxx

See this video to explain with example: https://www.youtube.com/watch?v=27v36t-3afQ

The most interesting is from 20:40. There are some 'experimental' words in video due to
older version.

Share Follow answered Feb 2, 2021 at 14:23

Sasha Golikov
535 4 10

Very interesting. I might use this approach when I am updating the CAs in my cluster. Thanks for
sharing. –  Thanos Feb 2, 2021 at 16:18
 Based on the comments of the users it seems that when someone runs this command:

4 kubeadm token create --print-join-command

Should populate two strings sample:

kubeadm join loadBalancerIP:6443 --token xxxx --discovery-token-ca-cert-hash

sha256:xxxx
kubeadm join loadBalancerIP:6443 --token xxxx --discovery-token-ca-cert-hash
sha256:xxxx --control-plane --certificate-key xxxx

In my case unfortunately it did not. Maybe because I am using self signed certs from
kubeadm or maybe because the deployment is on bare metal nodes.

Never the less I managed to resolve my problem with a different way.

According to the official documentation Steps for the first control plane node:

"You can also specify a custom --certificate-key during init that can later be used by join. To
generate such a key you can use the following command:"

kubeadm alpha certs certificate-key

Once the user runs the command on indented master prime node (not started node yet) it
should see something like that:

# kubeadm alpha certs certificate-key

xxxx

Then as the documentation says:

"Note: The kubeadm init flags --config and --certificate-key cannot be mixed, therefore if you
want to use the kubeadm configuration you must add the certificateKey field in the
appropriate config locations (under InitConfiguration and JoinConfiguration: controlPlane)."

In my case I use a conf file so I add the content into my file:

apiVersion: kubeadm.k8s.io/v1beta2
kind: InitConfiguration
certificateKey: xxxx
localAPIEndpoint:
advertiseAddress:
bindPort: 6443
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
---
 etc etc

Once the user has this key and launches the prime master with this key (as shown above),
the next step is to use exactly the same cert key for the secondary master nodes e.g.:

kubeadm join loadBalancerIP:6443 --token xxxx --discovery-token-ca-cert-hash

sha256:xxxx --control-plane --certificate-key xxxx

Note: It is recommended to use a script to produce this data in order to use a new cert key
when you destroy / create the master node(s).

Hope this helps someone else on the future in order not to spend so much as I did.

Share Follow answered Sep 17, 2020 at 19:27

Thanos
1,346 3 22 39

Hey, the output from kubeadm alpha certs certificate-key is the same as the expected value
after the SHA256 in --discovery-token-ca-cert-hash sha256:xxxx ? If not, do you know how
to get the value that goes into the xxxx? – nazar Mar 29, 2021 at 20:45

1 You can get the full join with $ kubeadm token create --print-join-command it will result to
something like: kubeadm join loadbalancer_host_name:port_that_is_listening --token
<token string> --discovery-token-ca-cert-hash sha256:xxxx . If you want only the
sha256:xxxx a small command using bash $ openssl x509 -in /etc/kubernetes
/pki/ca.crt -noout -pubkey | openssl rsa -pubin -outform DER 2>/dev/null |
sha256sum | cut -d' ' -f1 it will result to xxxx . Remember those commands need to be
executed on one of the Master nodes. –  Thanos Mar 30, 2021 at 13:48

Yep, thank you, went with the second option and works well. – nazar Mar 30, 2021 at 16:24
 The command kubeadm token create does not have any flag --control-plane

0 From the docs

When you run the command kubeadm token create --print-join-command you get two
commands in the output and you use the command with --control-plane flag to join the
control plane node.

Share Follow answered Sep 17, 2020 at 10:51

Arghya Sadhu
35.6k 9 63 81

I do not get two outputs I only get one. :( Is it possible to have configured something wrong?
–  Thanos Sep 17, 2020 at 12:41

error execution phase preflight: couldn't validate the identity of the API Server: could not find a JWS
signature in the cluster-info ConfigMap for token ID "khs2bu" – Sasha Golikov Feb 2, 2021 at 12:22

I believe there is no separate token for adding more control plane, you just have to add
--control-plane while adding.
0
To get the join command kubeadm token create --print-join-command

Assuming certificates are already uploaded and set in place. More details can be found
here. https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-
availability/

Edit: sorry for delayed update kubeadm alpha certs certificate-key can be used to create
the key

then upload then using kubeadm init phase upload-certs --upload-certs --certificate-
key=<above key>

and use this to create join command kubeadm token create --print-join-command
--certificate-key <key created above>

You can pass --control-plane to above join command for additional control planes and
ignore this flag for worker nodes

Share Follow edited Jun 30, 2021 at 5:14 answered Sep 17, 2020 at 10:52
user2039152
136 7
 The stdout after launching the first node is: kubeadm join nodeMaster:6443 --token xxxx
--discovery-token-ca-cert-hash sha256:xxxx --control-plane --certificate-key xxxx
My question is how do I generate these tokens (ca-cert-hash / certificate-key)? I can find the
directory on my master node (/etc/kubernetes/pki) but the keys are huge in comparison to the
prime generated. –  Thanos Sep 17, 2020 at 11:04

you can get it using kubeadm token create --print-join-command – user2039152 Sep 17,
2020 at 16:07

Unfortunately not :(. It only returns this for me :( kubeadm join loadBalancerIP:6443 --token
05odrq.712o9lv89kd4jg8x --discovery-token-ca-cert-hash sha256:xxxx Is there
something that I am missing? –  Thanos Sep 17, 2020 at 16:21

I am using self signed certificates, I have not yet pushed my certs (but it should not matter).
–  Thanos Sep 17, 2020 at 16:22

yes for above output, you can just add --control-plane to join more masters – user2039152 Sep
18, 2020 at 11:18

I think you want the commands below.

0 Display the command:

echo "$(kubeadm token create --print-join-command) --control-plane"

kubeadm join 192.168.5.50:8443 --token b99yno.3ju18t22w80ishlz --discovery-token-
ca-cert-hash
sha256:8f16b6d5304f070de0d32a6663ffaa30ac58163f9cfd38be4af405ac78c93b73
--control-plane

Run the command:

echo "$(kubeadm token create --print-join-command) --control-plane"|sh

Share Follow edited Dec 17, 2021 at 21:04 answered Dec 16, 2021 at 10:08
Antoine JasonLong
919 2 15 25 1

Your answer could be improved with additional supporting information. Please edit to add further
details, such as citations or documentation, so that others can confirm that your answer is correct.
You can find more information on how to write good answers in the help center. – Community Bot
Dec 16, 2021 at 10:33

"Display the command" makes no sense. Did you mean "run the command?" Display means show.
– mr.zog Jan 13 at 13:28
 The following will create the join command for your additional controllers.

0 echo $(kubeadm token create --print-join-command) --control-plane --certificate-

key $(kubeadm init phase upload-certs --upload-certs | grep -vw -e certificate -e
Namespace)'

Share Follow answered Apr 11 at 16:24

Ft00msh
21 7