K
Q

Certificate key when adding node to Kubernetes control plane

4/25/2019

So I know how to add a worker node to an existing Kubernetes 1.14 cluster (that was set up with kubeadm): kubeadm token create --print-join-command will print a valid kubeadm join command with correct values for arguments --token and --discovery-token-ca-cert-hash.

I currently understand that for adding another node to the control plane (master node) kubeadm join requires the additional arguments --experimental-control-plane (w/o value) and --certificate-key. This is for stacked control plane and etcd nodes.

How (in which file) can I obtain the correct value for --certificate-key for an existing cluster?

UPDATE My first (and currently only) master node was created without the argument --experimental-upload-certs to kubeadm init (but by kubeadm init --pod-network-cidr=10.244.0.0/16 instead). Therefore manual certificate distribution should apply and a possible sequence of steps could thus be:

  1. copy certificates and keys in /etc/kubernetes/pki/{ca.*,sa.*,front-proxy-sa.*,etcd/ca.*} from the first to the new master node
  2. run kubeadm token create --print-join-command on the first master node
  3. run printed kubeadm join command with the additional argument --experimental-control-plane on the new master node

Is this the correct procedure?

-- rookie099
kubeadm
kubernetes

Similar Questions

Kubernetes Python client returns pod's JSON HTTP response from proxy verb as string with single quotes instead of double quotes
Wildcard in params matcher
I create a single master cluster with kubeadm, everything is fine but CoreDNS didn't work
How to expose the docker container ip to the external network?

3 Answers

4/25/2019

According to the documentation, this command provides a new decription key:

kubeadm init phase upload-certs --experimental-upload-certs
-- rookie099
Source: StackOverflow
1/7/2020

I was struggling with this in 1.17 and finally found this command would give pre-generate a certificate key that I could use in both kubeadmn init and kubeadmn join. For it to work the you need to pass --upload-certs as well as when you run kubeadmn init similar to what you noted for 1.14.

# generate a certificate-key to be used kubeadm alpha certs certificate-key

# initialize first master using above key, --upload-certs (and other parameters) kubeadm init --control-plane-endpoint $API_SERVER:6443 --upload-certs --apiserver-cert-extra-sans $API_SERVER --certificate-key $CERT-KEY

# join other masters using the same certificate-key kubeadm join $API_SERVER:6443 --token $TOKEN --discovery-token-ca-cert-hash $CAHASH --control-plane --certificate-key $CERT-KEY

-- tweeks200
Source: StackOverflow
4/30/2020

An alternative to answers given is to use kubeadm to manage certificates by uploading the certificates as a secret to kube-system (it will expire in 2 hours). There is no need to pass a certificate key in the init phase

So you can do

kubeadm init --control-plane-endpoint "LOAD_BALANCER_DNS:LOAD_BALANCER_PORT"

And then at a later time

kubeadm init phase upload-certs --upload-certs

That command will output the certificate key you can use for the secret created

kubeadm join LOAD_BALANCER_DNS:LOAD_BALANCER_PORT --token <token> \     
--discovery-token-ca-cert-hash <hash> \
--control-plane \
--certificate-key <key from previous commmand>
-- cortopy
Source: StackOverflow