Kubeadm: generate token doesn't print the contol-plane join command

Created on 4 Jun 2019 · 7Comments · Source: kubernetes/kubeadm

Is this a BUG REPORT or FEATURE REQUEST?

FEATURE REQUEST

Versions

kubeadm version (use kubeadm version):

kubeadm version: &version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.2", GitCommit:"66049e3b21efe110454d67df4fa62b08ea79a19b", GitTreeState:"clean", BuildDate:"2019-05-16T16:20:34Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}

Environment:

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.2", GitCommit:"66049e3b21efe110454d67df4fa62b08ea79a19b", GitTreeState:"clean", BuildDate:"2019-05-16T16:23:09Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.2", GitCommit:"66049e3b21efe110454d67df4fa62b08ea79a19b", GitTreeState:"clean", BuildDate:"2019-05-16T16:14:56Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}

Cloud provider or hardware configuration:
OS (e.g. from /etc/os-release):

NAME="Ubuntu"
VERSION="18.04.2 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.2 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

Kernel (e.g. uname -a):

Linux ip-172-31-18-64 4.15.0-1032-aws #34-Ubuntu SMP Thu Jan 17 15:18:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Others:

What happened?

kubeadm token create --print-join-command only prints the results from the GetJoinWorkerCommand it does not print the results of GetJoinControlPlaneCommand

What you expected to happen?

I would like to be able to print the control plane command on demand too machine readable and seperate, an example of the sudo kubeadm init --config /home/ubuntu/kubeadm-config.yaml --experimental-upload-certs

kubeadm join 172.31.16.155:6443 --token jke2ys.lf9okzcpfx4aoi55 \
     --discovery-token-ca-cert-hash sha256:32d3b0b88bdb6e8d567b60303a9093201cd4bca0ee57d3d8cbe108c8cb4203fd \
   --experimental-control-plane --certificate-key b2f9f17044d8ef49397816213e994993cfd74419c9d5bb5d72d6f0e98aa600c6

Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
"kubeadm init phase upload-certs --experimental-upload-certs" to reload certs afterward.

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 172.31.16.155:6443 --token jke2ys.lf9okzcpfx4aoi55 \
     --discovery-token-ca-cert-hash sha256:32d3b0b88bdb6e8d567b60303a9093201cd4bca0ee57d3d8cbe108c8cb4203fd

How to reproduce it (as minimally and precisely as possible)?

kubeadm token create --print-join-command
kubeadm join 172.31.16.155:6443 --token b94ckq.i5t7u459397c7rgb     --discovery-token-ca-cert-hash sha256:32d3b0b88bdb6e8d567b60303a9093201cd4bca0ee57d3d8cbe108c8cb4203fd

Anything else we need to know?

Was there a reason why this wasn't implemented with this merge https://github.com/kubernetes/kubernetes/pull/75487. As in some one complained about the nodes but not about the control plane

areUX kindesign prioritimportant-longterm

Source

janitha09

Most helpful comment

@janitha09
As @yagonobre is suggesting it is not possible to print the control-plane join any time after init because the certificates-key is intentionally not stored in the cluster due to security reasons.

The effort for implementing machine readable output instead is tracked in https://github.com/kubernetes/kubeadm/issues/494

@neolit123 considering ^^ I'm for closing this issue. wdyt?

fabriziopandini on 6 Jun 2019

👍2

All 7 comments

@janitha09 i tried it and got the below output:

[root@localhost ~]# kubeadm token create --print-join-command
kubeadm join 192.168.122.237:6443 --token hsfved.1yv2jl5es5mdxi03 --discovery-token-ca-cert-hash sha256:7f93a1bd427be8dc12021a31f5b73ad4bc2ac2e40b95d740921e32a1f39e0a2e

RA489 on 6 Jun 2019

👍1

Due we don't store the certificate key we can't print the join command with the --certificate-key

yagonobre on 6 Jun 2019

The effort for implementing machine readable output instead is tracked in https://github.com/kubernetes/kubeadm/issues/494

@neolit123 considering ^^ I'm for closing this issue. wdyt?

fabriziopandini on 6 Jun 2019

👍2

SGTM

neolit123 on 7 Jun 2019

How could one go about adding a control plane node after the initial token goes away (2h I think)? When a new token is generated GetJoinControlPlaneCommand does print the key. Maybe it comes down to the first point should you be able to add a control plane node?

janitha09 on 12 Jun 2019

kubeadm token create to create a new token that you pass to join also see the --print-join-command flag. these tokens expires in 24h.
kubeadm init phase upload-certs --experimental-upload-certs to re-upload the control-plane certificates in a new secret and give a decryption key for the secret. this secret expires in 2h.

you need to pass the token and certificate-key to the join command on the new node.

neolit123 on 12 Jun 2019

Just in case it helps someone else:

I have an external etcd cluster so I need to pass the kube-config.yaml so kubeadm has the information about the etcd cluster certificates to put them into the new secret, which is where the new control plane node get them from.

kubeadm init phase upload-certs --upload-certs --config kubeadm-config.yaml