BLOG03a: kubeadm to Join New Node

BLOG04: Joining new node

1. Get the join command directly

Run this on the control-plane (master) node:

For worker node join token

kubeadm token create --print-join-command

This prints something like:

kubeadm join <control-plane-endpoint>:6443 --token <token> \
    --discovery-token-ca-cert-hash sha256:<hash>

2. Get command for joining as a new control-plane node

If you need to join another control-plane node, run:

kubeadm init phase upload-certs --upload-certs
kubeadm token create --print-join-command --certificate-key <CERT_KEY>

Where <CERT_KEY> is output from the first command.

3. List existing tokens

kubeadm token list

If none exist, create a new token:

kubeadm token create

kubeadm does not store join commands themselves, but it does store the token metadata and CA hash in Kubernetes and on disk.

Below is exactly where you can find already-created token details and the files involved.

1. How to view existing token details

Run on the control-plane node:

List all tokens

kubeadm token list

This shows:

Token ID
Expiration
Usages (authentication)
Description

Describe a specific token

Tokens are stored as Kubernetes Secrets.

kubectl -n kube-system get secrets | grep bootstrap-token

Then describe one:

kubectl -n kube-system describe secret bootstrap-token-<tokenid>

This shows:

Token ID + Secret key
Allowed usages
Expiration
Creation timestamp

2. Where join token information is stored

The join tokens live inside the cluster, not as local files.

Location:

Secrets in namespace kube-system

kube-system/bootstrap-token-xxxxxx

Token structure is split into:

/token-id
/token-secret

These combine as:

<token-id>.<token-secret>

3. Where certificate/CA information is stored on disk

Discovery CA hash is derived from:

/etc/kubernetes/pki/ca.crt

You can manually compute it:

openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt \
  | openssl rsa -pubin -outform der 2>/dev/null \
  | openssl dgst -sha256 -hex \
  | sed 's/^.* //'

4. Where control-plane certificate key comes from

If you ran:

kubeadm init phase upload-certs --upload-certs

The certificate key is stored in memory only and not saved to disk for security reasons.

You must regenerate it if needed:

kubeadm init phase upload-certs --upload-certs

🔍 Summary

Item

Where Stored

How to View

Join token

Kubernetes Secret (kube-system)

kubeadm token list, kubectl describe secret

CA cert / discovery hash

/etc/kubernetes/pki/ca.crt

compute hash with openssl

Control-plane certificate key

Not saved

regenerate with upload-certs

Constructing Join Command Manually

Here’s how to reconstruct the exact kubeadm join command from the existing data on your cluster.

Control-plane endpoint
Join token
Discovery CA hash
(optional) certificate key for control-plane nodes

1. Get the join token

TOKEN=$(kubeadm token list | awk 'NR==2{print $1}')
echo $TOKEN

If no token exists, create one:

TOKEN=$(kubeadm token create)

2. Compute the discovery-token-ca-cert-hash

HASH=$(openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt \
| openssl rsa -pubin -outform der 2>/dev/null \
| openssl dgst -sha256 -hex \
| awk '{print $2}')
echo $HASH

3. Get the control-plane endpoint

Most clusters (kubeadm default) use the master’s API server address from kubeadm-config.

ENDPOINT=$(kubectl -n kube-system get cm kubeadm-config -o jsonpath='{.data.ClusterConfiguration}' \
| grep 'controlPlaneEndpoint' | awk '{print $2}')
echo $ENDPOINT

If the field is missing, you can directly use the control-plane node IP:

ENDPOINT=$(hostname -I | awk '{print $1}'):6443

4. Build the join command (Worker node)

echo "kubeadm join $ENDPOINT --token $TOKEN --discovery-token-ca-cert-hash sha256:$HASH"

This prints:

kubeadm join <endpoint>:6443 --token <id.secret> --discovery-token-ca-cert-hash sha256:<hash>

5. Build the join command (Control-plane node)

If you want to join a new MASTER node, regenerate a cert key first:

CERT_KEY=$(kubeadm init phase upload-certs --upload-certs | tail -1)

Then:

echo "kubeadm join $ENDPOINT --token $TOKEN --discovery-token-ca-cert-hash sha256:$HASH --control-plane --certificate-key $CERT_KEY"

PreviousLAB03: Joining New Node NextLAB03a: Kubernetes Lifecycle Management Lab (v1.33 → v1.34)

Last updated 1 month ago

Good night

hashtagBLOG04: Joining new node

hashtag1. Get the join command directly

hashtagFor worker node join token

hashtag2. Get command for joining as a new control-plane node

hashtag3. List existing tokens

hashtag1. How to view existing token details

hashtagList all tokens

hashtagDescribe a specific token

hashtag2. Where join token information is stored

hashtagLocation:

hashtag3. Where certificate/CA information is stored on disk

hashtagDiscovery CA hash is derived from:

hashtag4. Where control-plane certificate key comes from

hashtag🔍 Summary

hashtagConstructing Join Command Manually

hashtag1. Get the join token

hashtag2. Compute the discovery-token-ca-cert-hash

hashtag3. Get the control-plane endpoint

hashtag4. Build the join command (Worker node)

hashtag5. Build the join command (Control-plane node)