kubeadm alpha

    This command is not meant to be run on its own. See list of available subcommands.

    Options

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    Synopsis

    Renew all known certificates necessary to run the control plane. Renewals are run unconditionally, regardless of expiration date. Renewals can also be run individually for more control.

    1. kubeadm alpha certs renew all [flags]

    Options

    —cert-dir string Default: "/etc/kubernetes/pki"
    The path where to save the certificates
    —config string
    Path to a kubeadm configuration file.
    —csr-dir string
    The path to output the CSRs and private keys to
    —csr-only
    Create CSRs instead of generating certificates
    -h, —help
    help for all
    —kubeconfig string Default: "/etc/kubernetes/admin.conf"
    The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
    —use-api
    Use the Kubernetes certificate API to renew certificates

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    Synopsis

    Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself.

    Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

    Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

    After renewal, in order to make changes effective, is is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

    1. kubeadm alpha certs renew admin.conf [flags]

    Options

    —cert-dir string Default: "/etc/kubernetes/pki"
    The path where to save the certificates
    —config string
    Path to a kubeadm configuration file.
    —csr-dir string
    The path to output the CSRs and private keys to
    —csr-only
    Create CSRs instead of generating certificates
    -h, —help
    help for admin.conf
    —kubeconfig string Default: "/etc/kubernetes/admin.conf"
    The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
    —use-api
    Use the Kubernetes certificate API to renew certificates

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    Synopsis

    Renew the certificate the apiserver uses to access etcd.

    Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

    Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

    After renewal, in order to make changes effective, is is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

    1. kubeadm alpha certs renew apiserver-etcd-client [flags]

    Options

    —cert-dir string Default: "/etc/kubernetes/pki"
    The path where to save the certificates
    —config string
    Path to a kubeadm configuration file.
    —csr-dir string
    The path to output the CSRs and private keys to
    —csr-only
    Create CSRs instead of generating certificates
    -h, —help
    help for apiserver-etcd-client
    —kubeconfig string Default: "/etc/kubernetes/admin.conf"
    The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
    —use-api
    Use the Kubernetes certificate API to renew certificates

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    Synopsis

    Renew the certificate for the API server to connect to kubelet.

    Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

    Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

    After renewal, in order to make changes effective, is is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

    1. kubeadm alpha certs renew apiserver-kubelet-client [flags]

    Options

    —cert-dir string Default: "/etc/kubernetes/pki"
    The path where to save the certificates
    —config string
    Path to a kubeadm configuration file.
    —csr-dir string
    The path to output the CSRs and private keys to
    —csr-only
    Create CSRs instead of generating certificates
    -h, —help
    help for apiserver-kubelet-client
    —kubeconfig string Default: "/etc/kubernetes/admin.conf"
    The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
    —use-api
    Use the Kubernetes certificate API to renew certificates

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    Synopsis

    Renew the certificate for serving the Kubernetes API.

    Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

    Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

    After renewal, in order to make changes effective, is is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

    1. kubeadm alpha certs renew apiserver [flags]

    Options

    —cert-dir string Default: "/etc/kubernetes/pki"
    The path where to save the certificates
    —config string
    Path to a kubeadm configuration file.
    —csr-dir string
    The path to output the CSRs and private keys to
    —csr-only
    Create CSRs instead of generating certificates
    -h, —help
    help for apiserver
    —kubeconfig string Default: "/etc/kubernetes/admin.conf"
    The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
    —use-api
    Use the Kubernetes certificate API to renew certificates

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    Synopsis

    Renew the certificate embedded in the kubeconfig file for the controller manager to use.

    Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

    Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

    1. kubeadm alpha certs renew controller-manager.conf [flags]

    Options

    —cert-dir string Default: "/etc/kubernetes/pki"
    The path where to save the certificates
    —config string
    Path to a kubeadm configuration file.
    —csr-dir string
    The path to output the CSRs and private keys to
    —csr-only
    Create CSRs instead of generating certificates
    -h, —help
    help for controller-manager.conf
    —kubeconfig string Default: "/etc/kubernetes/admin.conf"
    The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
    —use-api
    Use the Kubernetes certificate API to renew certificates

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    Synopsis

    Renew the certificate for liveness probes to healthcheck etcd.

    Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

    Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

    After renewal, in order to make changes effective, is is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    Synopsis

    Renew the certificate for etcd nodes to communicate with each other.

    Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

    Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

    After renewal, in order to make changes effective, is is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

    1. kubeadm alpha certs renew etcd-peer [flags]

    Options

    —cert-dir string Default: "/etc/kubernetes/pki"
    The path where to save the certificates
    —config string
    Path to a kubeadm configuration file.
    —csr-dir string
    The path to output the CSRs and private keys to
    —csr-only
    Create CSRs instead of generating certificates
    -h, —help
    help for etcd-peer
    —kubeconfig string Default: "/etc/kubernetes/admin.conf"
    The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
    —use-api
    Use the Kubernetes certificate API to renew certificates

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    Synopsis

    Renew the certificate for serving etcd.

    Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

    Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

    After renewal, in order to make changes effective, is is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

    1. kubeadm alpha certs renew etcd-server [flags]

    Options

    —cert-dir string Default: "/etc/kubernetes/pki"
    The path where to save the certificates
    —config string
    Path to a kubeadm configuration file.
    —csr-dir string
    The path to output the CSRs and private keys to
    —csr-only
    Create CSRs instead of generating certificates
    -h, —help
    help for etcd-server
    —kubeconfig string Default: "/etc/kubernetes/admin.conf"
    The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
    —use-api
    Use the Kubernetes certificate API to renew certificates

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    Synopsis

    Renew the certificate for the front proxy client.

    Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

    Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

    After renewal, in order to make changes effective, is is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

    1. kubeadm alpha certs renew front-proxy-client [flags]

    Options

    —cert-dir string Default: "/etc/kubernetes/pki"
    The path where to save the certificates
    —config string
    Path to a kubeadm configuration file.
    —csr-dir string
    The path to output the CSRs and private keys to
    —csr-only
    Create CSRs instead of generating certificates
    -h, —help
    help for front-proxy-client
    —kubeconfig string Default: "/etc/kubernetes/admin.conf"
    The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
    —use-api
    Use the Kubernetes certificate API to renew certificates

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    Synopsis

    Renew the certificate embedded in the kubeconfig file for the scheduler manager to use.

    Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

    Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

    After renewal, in order to make changes effective, is is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

    1. kubeadm alpha certs renew scheduler.conf [flags]

    Options

    —cert-dir string Default: "/etc/kubernetes/pki"
    The path where to save the certificates
    —config string
    Path to a kubeadm configuration file.
    —csr-dir string
    The path to output the CSRs and private keys to
    —csr-only
    Create CSRs instead of generating certificates
    -h, —help
    help for scheduler.conf
    —kubeconfig string Default: "/etc/kubernetes/admin.conf"
    The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
    —use-api
    Use the Kubernetes certificate API to renew certificates

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    kubeadm alpha certs certificate-key

    This command can be used to generate a new control-plane certificate key.The key can be passed as to kubeadm init and kubeadm jointo enable the automatic copy of certificates when joining additional control-plane nodes.

    Synopsis

    You can also use “kubeadm init –upload-certs” without specifying a certificate key and it willgenerate and print one for you.

    1. kubeadm alpha certs certificate-key [flags]

    Options

    -h, —help
    help for certificate-key

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    This command checks expiration for the certificates in the local PKI managed by kubeadm.For more details about certificate expiration and renewal see the certificate management documentation.

    Synopsis

    Checks expiration for the certificates in the local PKI managed by kubeadm.

    1. kubeadm alpha certs check-expiration [flags]

    Options

    —cert-dir string Default: "/etc/kubernetes/pki"
    The path where to save the certificates
    —config string
    Path to a kubeadm configuration file.
    -h, —help
    help for check-expiration

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    kubeadm alpha kubeconfig user

    The user subcommand can be used for the creation of kubeconfig files for additional users.

    Synopsis

    Kubeconfig file utilities.

    Alpha Disclaimer: this command is currently alpha.

    Options

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    Synopsis

    Output a kubeconfig file for an additional user.

    Alpha Disclaimer: this command is currently alpha.

    Examples

    1.   # Output a kubeconfig file for an additional user named foo
    2.   kubeadm alpha kubeconfig user --client-name=foo

    Options

    —apiserver-advertise-address string
    The IP address the API server is accessible on
    —apiserver-bind-port int32 Default: 6443
    The port the API server is accessible on
    —cert-dir string Default: "/etc/kubernetes/pki"
    The path where certificates are stored
    —client-name string
    The name of user. It will be used as the CN if client certificates are created
    -h, —help
    help for user
    —org stringSlice
    The orgnizations of the client certificate. It will be used as the O if client certificates are created
    —token string
    The token that should be used as the authentication mechanism for this kubeconfig, instead of client certificates

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    Use the following commands to either download the kubelet configuration from the cluster orto enable the DynamicKubeletConfiguration feature.

    Synopsis

    This command is not meant to be run on its own. See list of available subcommands.

    Options

    -h, —help
    help for kubelet

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    Synopsis

    Download the kubelet configuration from a ConfigMap of the form “kubelet-config-1.X” in the cluster, where X is the minor version of the kubelet. Either kubeadm autodetects the kubelet version by exec-ing “kubelet –version” or respects the –kubelet-version parameter.

    Alpha Disclaimer: this command is currently alpha.

    1. kubeadm alpha kubelet config download [flags]

    Examples

    1.   # Download the kubelet configuration from the ConfigMap in the cluster. Autodetect the kubelet version.
    2.   kubeadm alpha phase kubelet config download
    5.   kubeadm alpha phase kubelet config download --kubelet-version 1.16.0

    Options

    -h, —help
    help for download
    —kubeconfig string Default: "/etc/kubernetes/admin.conf"
    The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
    —kubelet-version string
    The desired version for the kubelet. Defaults to being autodetected from 'kubelet —version'.

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    Synopsis

    Download the kubelet configuration from a ConfigMap of the form “kubelet-config-1.X” in the cluster, where X is the minor version of the kubelet. Either kubeadm autodetects the kubelet version by exec-ing “kubelet –version” or respects the –kubelet-version parameter.

    Alpha Disclaimer: this command is currently alpha.

    1. kubeadm alpha kubelet config download [flags]

    Examples

    1.   # Download the kubelet configuration from the ConfigMap in the cluster. Autodetect the kubelet version.
    2.   kubeadm alpha phase kubelet config download
    4.   # Download the kubelet configuration from the ConfigMap in the cluster. Use a specific desired kubelet version.
    5.   kubeadm alpha phase kubelet config download --kubelet-version 1.16.0

    Options

    -h, —help
    help for download
    —kubeconfig string Default: "/etc/kubernetes/admin.conf"
    The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
    —kubelet-version string
    The desired version for the kubelet. Defaults to being autodetected from 'kubelet —version'.

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    kubeadm alpha selfhosting pivot

    The subcommand pivot can be used to convert a static Pod-hosted control plane into a self-hosted one.

    Synopsis

    This command is not meant to be run on its own. See list of available subcommands.

    Options

    -h, —help
    help for selfhosting

    Options inherited from parent commands

    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.

    Synopsis

    Convert static Pod files for control plane components into self-hosted DaemonSets configured via the Kubernetes API.

    See the documentation for self-hosting limitations.

    Alpha Disclaimer: this command is currently alpha.

    1. kubeadm alpha selfhosting pivot [flags]

    Examples

    Options

    —cert-dir string Default: "/etc/kubernetes/pki"
    The path where certificates are stored
    —config string
    Path to a kubeadm configuration file.
    -f, —force
    Pivot the cluster without prompting for confirmation
    -h, —help
    help for pivot
    —kubeconfig string Default: "/etc/kubernetes/admin.conf"
    The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
    -s, —store-certs-in-secrets
    Enable storing certs in secrets
    —rootfs string
    [EXPERIMENTAL] The path to the 'real' host root filesystem.
    • kubeadm init to bootstrap a Kubernetes control-plane node
    • to connect a node to the cluster

    Feedback

    Was this page helpful?