Adding Linux worker nodes
This page explains how to add Linux worker nodes to a kubeadm cluster.
Before you begin
- Each joining worker node has installed the required components from Installing kubeadm, such as, kubeadm, the kubelet and a container runtime.
- A running kubeadm cluster created by
kubeadm initand following the steps in the document Creating a cluster with kubeadm. - You need superuser access to the node.
Adding Linux worker nodes
To add new Linux worker nodes to your cluster do the following for each machine:
- Connect to the machine by using SSH or another method.
- Run the command that was output by
kubeadm init. For example:
sudo kubeadm join --token <token> <control-plane-host>:<control-plane-port> --discovery-token-ca-cert-hash sha256:<hash> Additional information for kubeadm join
Note:
To specify an IPv6 tuple for<control-plane-host>:<control-plane-port>, IPv6 address must be enclosed in square brackets, for example: [2001:db8::101]:2073.If you do not have the token, you can get it by running the following command on the control plane node:
# Run this on a control plane nodesudo kubeadm token list The output is similar to this:
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS 8ewj1p.9r9hcjoqgajrj4gi 23h 2018-06-12T02:51:28Z authentication, The default bootstrap system: signing token generated by bootstrappers: 'kubeadm init'. kubeadm: default-node-token By default, node join tokens expire after 24 hours. If you are joining a node to the cluster after the current token has expired, you can create a new token by running the following command on the control plane node:
# Run this on a control plane nodesudo kubeadm token create The output is similar to this:
5didvk.d09sbcov8ph2amjw If you don't have the value of --discovery-token-ca-cert-hash, you can get it by running the following commands on the control plane node:
# Run this on a control plane nodesudo cat /etc/kubernetes/pki/ca.crt | openssl x509 -pubkey | openssl rsa -pubin -outform der 2>/dev/null | \ openssl dgst -sha256 -hex | sed 's/^.* //'The output is similar to:
8cb2de97839780a412b93877f8507ad6c94f73add17d5d7058e91741c9d5ec78 The output of the kubeadm join command should look something like:
[preflight] Running pre-flight checks ... (log output of join workflow) ... Node join complete: * Certificate signing request sent to control-plane and response received. * Kubelet informed of new secure connection details. Run 'kubectl get nodes' on control-plane to see this machine join. A few seconds later, you should notice this node in the output from kubectl get nodes. (for example, run kubectl on a control plane node).
Note:
As the cluster nodes are usually initialized sequentially, the CoreDNS Pods are likely to all run on the first control plane node. To provide higher availability, please rebalance the CoreDNS Pods withkubectl -n kube-system rollout restart deployment coredns after at least one new node is joined.What's next
- See how to add Windows worker nodes.
