Step-by-step guide on generating kubeadm token for secondary control plane node with real commands and config examples. Our Kubernetes Support Team is always here to help you.
How to Generate Kubeadm Token for Secondary Control Plane Node
Setting up a Kubernetes cluster with more than one control plane node often raises the same question: how do I generate a kubeadm token for secondary control plane node? The answer is straightforward, but there are some small details you can’t miss, especially around certificate keys. Let’s walk through the process without overcomplicating it.
An Overview
Start with the first control plane node
On your primary control plane, you need to upload the certificates so that other control plane nodes (Kubernetes security best practices) can use them. Run:
kubeadm init phase upload-certs --upload-certsKeep the output safe because you will need it later.
Create the join command
Next, generate the kubeadm join command with a valid token. On the master node, use:
kubeadm token create --print-join-commandNormally, this will give you two strings. For example:
kubeadm join loadBalancerIP:6443 --token xxxx --discovery-token-ca-cert-hash sha256:xxxx
kubeadm join loadBalancerIP:6443 --token xxxx --discovery-token-ca-cert-hash sha256:xxxx --control-plane --certificate-key xxxxIn many environments this works fine. However, if you are using self-signed certificates or bare metal, you may not see the second command with –control-plane. Don’t worry — you can still handle this.
Generate a certificate key manually
Kubernetes provides a way to generate your own certificate key. Run this on the primary node before starting it:
kubeadm alpha certs certificate-keyIt will give you a string like:
xxxxAs the documentation explains:
The kubeadm init flags --config and --certificate-key cannot be mixed. If you are using a config file, you must add the certificateKey field in your configuration.For example:
apiVersion: kubeadm.k8s.io/v1beta2
kind: InitConfiguration
certificateKey: xxxx
localAPIEndpoint:
advertiseAddress:
bindPort: 6443
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
---This way, the first control plane launches with the certificate key embedded.
Use the same key for secondary nodes
Once you have the key, you can join other control plane nodes by appending it to the join command. Example:
kubeadm join loadBalancerIP:6443 --token xxxx --discovery-token-ca-cert-hash sha256:xxxx --control-plane --certificate-key xxxxThis is the kubeadm token for secondary control plane node you were looking for. Without the –control-plane flag, the node will only join as a worker.
Alternative one-liner
You can also create the join command for controllers directly with:
echo $(kubeadm token create --print-join-command) --control-plane --certificate-key $(kubeadm init phase upload-certs --upload-certs | grep -vw -e certificate -e Namespace)And if you just want to print the join command with –control-plane in a simple way:
echo "$(kubeadm token create --print-join-command) --control-plane"For instance:
kubeadm join 192.168.5.50:8443 --token b99yno.3ju18t22w80ishlz --discovery-token-ca-cert-hash sha256:8f16b6d5304f070de0d32a6663ffaa30ac58163f9cfd38be4af405ac78c93b73 --control-plane[If needed, Our team is available 24/7 for additional assistance.]
Conclusion
The kubeadm token for secondary control plane node isn’t separate from the one you use for worker nodes. You simply add –control-plane and provide the correct certificate key. Once you understand this, adding more control plane nodes to your Kubernetes cluster becomes a lot easier.
