K
Q

How do I find the join command for kubeadm on the master?

July 1, 2018

I've lost the original 'kubeadm join' command when I previously ran 

kubeadm init
.

How can I retrieve this value again?

-- Chris Stryczynski
kubernetes
kubeadm

Similar Questions

Manual workflow triggers in Github Actions
kubectl - list all port forwards across all services?
How to use Session Affinity on requests to Kubernetes service?
ClusterRoleBinding requires namespace
How to get list of pods which are "ready"?

8 Answers

July 1, 2018
kubeadm token create --print-join-command
-- Chris Stryczynski
Source: StackOverflow
December 24, 2020

To print a 

join
command for a new worker node use:

  • kubeadm token create --print-join-command

But if you need to join a new control plane node, you need to recreate a new key for the control plane 

join
command. This can be done with three simple steps:

  1. Re upload certificates in the already working master node with 

    kubeadm init phase upload-certs --upload-certs
    . That will generate a new certificate key.

  2. Print 

    join
    command in the already working master node with 
    kubeadm token create --print-join-command
    .

  3. Join a new control plane node with 

    $JOIN_COMMAND_FROM_STEP2 --control-plane --certificate-key $KEY_FROM_STEP1
    .

This might not work for the old Kubernetes versions but I tried with the new version and it worked for me.

-- Isuru Amarathunga
Source: StackOverflow
March 9, 2019

To create 

kubeadm join
command, please run the following commands:

Step 1 - Retrieve Token CA Hash:

openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt \
    | openssl rsa -pubin -outform der 2>/dev/null \
    | openssl dgst -sha256 -hex \
    | sed 's/^.* //'

This command will provide you public key.

Step 2 - Retrieve bootstrap Tokens:

kubeadm token list

This will print all tokens, so copy the token value under 

TOKEN
with the description "The default bootstrap token generated by 
kubeadm init
."

Step 3 - Creates 

kubeadm init
command:

Now use following syntax to create 

join
command without creating a new token:

kubeadm join <ip-address>:6443\
    --token=<token-from-step-2> \
    --discovery-token-ca-cert-hash sha256:<ca-hash-from-step-1>

kubeadm token create
command creates a new token, in this case without any description, so for you not to create any additional tokens, just pick the token which has a 
DESCRIPTION
as mentioned in Step 2.

-- Abhishek Jain
Source: StackOverflow
February 16, 2022

Run the below command on your master node machine.

kubeadm token create --print-join-command

This command will generate the new token as well as the join command which you can use at your worker node to join the cluster.

-- Aditya Bhuyan
Source: StackOverflow
July 24, 2020

Building off @Abhishek Jain's answer, here's a script to print the 

kubeadm join
command with a little help from 
jq
:

# get the join command from the kube master
CERT_HASH=$(openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt \
| openssl rsa -pubin -outform der 2>/dev/null \
| openssl dgst -sha256 -hex \
| sed 's/^.* //')
TOKEN=$(kubeadm token list -o json | jq -r '.token' | head -1)
IP=$(kubectl get nodes -lnode-role.kubernetes.io/master -o json \
| jq -r '.items[0].status.addresses[] | select(.type=="InternalIP") | .address')
PORT=6443
echo "sudo kubeadm join $IP:$PORT \
--token=$TOKEN --discovery-token-ca-cert-hash sha256:$CERT_HASH"
-- 3ch01c
Source: StackOverflow
December 1, 2020

If you are joining control plane nodes, you will need a certificate key in the command too:

kubeadm token create \
--print-join-command \
--certificate-key \
$(kubeadm alpha certs certificate-key)

The 

kubeadm alpha certs certificate-key
command will generate a new certificate key on demand as per the documentation here

To Join a worker node, the command 

kubeadm token create --print-join-command
given in the accepted answer is sufficient

-- steve
Source: StackOverflow
September 26, 2024

For the latest version of kubeadm.

To generate the 

kubeadm join
commands for both worker and control-plane nodes, use the following command:

kubeadm token create --print-join-command --certificate-key $(sudo kubeadm init phase upload-certs --upload-certs | sed -n '3p')
  • For joining a new control-plane node:
  kubeadm join k8smaster:6443 --token agxebq.kljgq3kr7zd2fck6 \
  --discovery-token-ca-cert-hash sha256:0037e6ca1515d85bb7eab227804083fd17fe800eab227804083fd17fe800 \
  --control-plane --certificate-key 994eab227804083fd17fe80051dcfec02e01bbff7916967

  • For joining a new worker node:

    Use the same command as above, but omit the 

    --control-plane and --certificate-key
    flag:

  kubeadm join k8smaster:6443 --token agxebq.kljgq3kr7zd2fck6 \
  --discovery-token-ca-cert-hash sha256:0037e6ca1515eab227804083fd17fe8000eab227804083fd17fe800
-- Ali Hassan
Source: StackOverflow
December 7, 2022

Here is a bash script that automate this task

read -p 'master ip address : ' ipaddr
sha_token = "$(openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //')"
token = "$(kubeadm token list | awk '{print $1}' | sed -n '2 p')"
echo "kubeadm join $ipaddr:6443 --token=$token --discovery-token-ca-cert-hash sha256:$sha_token"
-- Mohammed SALEM
Source: StackOverflow