113 lines
3.8 KiB
Markdown
113 lines
3.8 KiB
Markdown
---
|
|
title: Adding Linux worker nodes
|
|
content_type: task
|
|
weight: 10
|
|
---
|
|
|
|
<!-- overview -->
|
|
|
|
This page explains how to add Linux worker nodes to a kubeadm cluster.
|
|
|
|
## {{% heading "prerequisites" %}}
|
|
|
|
* Each joining worker node has installed the required components from
|
|
[Installing kubeadm](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/), such as,
|
|
kubeadm, the kubelet and a {{< glossary_tooltip term_id="container-runtime" text="container runtime" >}}.
|
|
* A running kubeadm cluster created by `kubeadm init` and following the steps
|
|
in the document [Creating a cluster with kubeadm](/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/).
|
|
* You need superuser access to the node.
|
|
|
|
<!-- steps -->
|
|
|
|
## Adding Linux worker nodes
|
|
|
|
To add new Linux worker nodes to your cluster do the following for each machine:
|
|
|
|
1. Connect to the machine by using SSH or another method.
|
|
1. Run the command that was output by `kubeadm init`. For example:
|
|
|
|
```bash
|
|
sudo kubeadm join --token <token> <control-plane-host>:<control-plane-port> --discovery-token-ca-cert-hash sha256:<hash>
|
|
```
|
|
|
|
### Additional information for kubeadm join
|
|
|
|
{{< note >}}
|
|
To specify an IPv6 tuple for `<control-plane-host>:<control-plane-port>`, IPv6 address must be enclosed in square brackets, for example: `[2001:db8::101]:2073`.
|
|
{{< /note >}}
|
|
|
|
If you do not have the token, you can get it by running the following command on the control plane node:
|
|
|
|
```bash
|
|
# Run this on a control plane node
|
|
sudo kubeadm token list
|
|
```
|
|
|
|
The output is similar to this:
|
|
|
|
```console
|
|
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
|
|
8ewj1p.9r9hcjoqgajrj4gi 23h 2018-06-12T02:51:28Z authentication, The default bootstrap system:
|
|
signing token generated by bootstrappers:
|
|
'kubeadm init'. kubeadm:
|
|
default-node-token
|
|
```
|
|
|
|
By default, node join tokens expire after 24 hours. If you are joining a node to the cluster after the
|
|
current token has expired, you can create a new token by running the following command on the
|
|
control plane node:
|
|
|
|
```bash
|
|
# Run this on a control plane node
|
|
sudo kubeadm token create
|
|
```
|
|
|
|
The output is similar to this:
|
|
|
|
```console
|
|
5didvk.d09sbcov8ph2amjw
|
|
```
|
|
|
|
If you don't have the value of `--discovery-token-ca-cert-hash`, you can get it by running the
|
|
following commands on the control plane node:
|
|
|
|
```bash
|
|
# Run this on a control plane node
|
|
sudo cat /etc/kubernetes/pki/ca.crt | openssl x509 -pubkey | openssl rsa -pubin -outform der 2>/dev/null | \
|
|
openssl dgst -sha256 -hex | sed 's/^.* //'
|
|
```
|
|
|
|
The output is similar to:
|
|
|
|
```console
|
|
8cb2de97839780a412b93877f8507ad6c94f73add17d5d7058e91741c9d5ec78
|
|
```
|
|
|
|
The output of the `kubeadm join` command should look something like:
|
|
|
|
```
|
|
[preflight] Running pre-flight checks
|
|
|
|
... (log output of join workflow) ...
|
|
|
|
Node join complete:
|
|
* Certificate signing request sent to control-plane and response
|
|
received.
|
|
* Kubelet informed of new secure connection details.
|
|
|
|
Run 'kubectl get nodes' on control-plane to see this machine join.
|
|
```
|
|
|
|
A few seconds later, you should notice this node in the output from `kubectl get nodes`.
|
|
(for example, run `kubectl` on a control plane node).
|
|
|
|
{{< note >}}
|
|
As the cluster nodes are usually initialized sequentially, the CoreDNS Pods are likely to all run
|
|
on the first control plane node. To provide higher availability, please rebalance the CoreDNS Pods
|
|
with `kubectl -n kube-system rollout restart deployment coredns` after at least one new node is joined.
|
|
{{< /note >}}
|
|
|
|
## {{% heading "whatsnext" %}}
|
|
|
|
* See how to [add Windows worker nodes](/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes/).
|