kubeadm: The Kube Admin for On-Premises Kubernetes
If you have ever wondered how to set up a true, production-ready Kubernetes cluster from absolute scratch, you are in the right place. Today, we are going to master kubeadm, the official and most widely recommended tool for bootstrapping Kubernetes clusters.
In simple words, setting up a Kubernetes cluster manually is a huge headache. You have to generate dozens of security certificates, configure core components like the API server, set up networking, and link everything together. kubeadm is an official command-line tool that automates all of this heavy lifting. With just a couple of simple commands (kubeadm init and kubeadm join), you can have a fully functional Kubernetes cluster up and running on your servers in minutes. It is the best way to build a standard, secure, and easily upgradeable cluster.
–
How kubeadm Works: The General Contractor Analogy
Imagine you are building a massive apartment complex (your Kubernetes Cluster).
If you do it manually, you are the one mixing the cement, laying every single brick, doing all the electrical wiring, and plumbing (generating certificates, configuring etcd, starting API servers). It takes forever and is prone to mistakes.
kubeadm is like hiring a highly skilled General Contractor. You just tell the contractor, “I want a building right here,” and they bring in the team, lay the foundation, set up the critical infrastructure, and hand you the keys. You still need to provide the land (your servers/infrastructure), but the contractor builds the complex perfectly according to standard building codes.
Quick Reference:
Here is your handy cheat sheet to keep by your side:
installing kubeadm
- https://kubernetes.io/docs/reference/setup-tools/kubeadm/
- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/
| Command | Action | Key Details to Remember |
kubeadm init | Bootstraps the Control Plane | Runs on the master node first. Generates certs, kubeconfig, and starts core pods. |
kubeadm join | Connects worker nodes | Requires a token and the master’s IP. Runs on every worker node. |
kubeadm upgrade | Upgrades the cluster | Seamlessly upgrades Kubernetes versions (e.g., v1 to v2). |
kubeadm config | Manages configurations | Use kubeadm config print init-defaults to see the base YAML setup. |
kubeadm certs | Manages certificates | Use kubeadm certs renew all to fix expired cluster certificates. |
kubeadm token | Manages join tokens | Tokens expire in 24 hours by default. Use kubeadm token create --print-join-command to make a new one. |
Under the Hood: The kubeadm init Phases
kubeadm is designed to be a fast, simple, and standard way to provision a minimum viable Kubernetes cluster that passes the Kubernetes Conformance tests. Its primary philosophy is to care only about bootstrapping, not about provisioning infrastructure (like Terraform) or installing third-party add-ons (like monitoring or logging).
When you run kubeadm init, it performs a series of well-defined phases:
- Pre-flight checks: Validates that the system meets all requirements (RAM, CPU, swap disabled, container runtime running).
- Certs & Kubeconfig: Generates all TLS certificates and
kubeconfigfiles for cluster components to communicate securely. - Control Plane: Generates static Pod manifests for the API server, Controller Manager, and Scheduler, and waits for the kubelet to start them.
- etcd: Configures a local etcd database for storing cluster state.
- Addons: Installs essential add-ons like CoreDNS and kube-proxy.
What You Need to Know Before You Start
If you are just starting out, here is what you really need to know about the foundation:
- Prerequisites are King:
kubeadmwill fail if your server isn’t ready. You absolutely must have a Container Runtime installed (like containerd or CRI-O),- Pro-Tip on Swap Memory: Historically, you had to disable Swap memory on your Linux machines for kubeadm to work. However, modern Kubernetes releases now support Swap memory environments! You can configure swap usage via the KubeletConfiguration, though disabling it remains the simplest path for beginners.
- The Power of Kubelet:
kubeadmdoesn’t actually run your cluster; it sets it up. The real worker iskubelet, a service that runs in the background on every machine.kubeadmdrops configuration files into a specific folder, andkubeletwakes up, reads them, and starts your Kubernetes components. - Bring Your Own Network (CNI): After running
kubeadm init, your cluster will look “NotReady”. This is normal!kubeadmdoes not install a network plugin. You must install a Container Network Interface (CNI) like Calico or Cilium so your Pods can talk to each other.
Beyond the Command Line
At an advanced architect level, you stop using kubeadm init directly on the command line and start using declarative Kubeadm Configuration Files (kubeadm-config.yaml).
Here is a quick example of what that declarative file looks like:
apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
kubernetesVersion: v1.30.0
controlPlaneEndpoint: "k8s-api.example.com:6443"
networking:
podSubnet: "10.244.0.0/16"- Phase Customization:
kubeadmis built using a “phases” architecture. You can skip or run specific phases usingkubeadm init phase <phase-name>. This is brilliant for highly customized setups where you might want to generate certificates yourself using an external enterprise CA, and then tellkubeadmto skip the cert generation phase. - High Availability (HA) Topology: For production, a single control plane node is a single point of failure. Architects design HA clusters in two ways using
kubeadm:- Stacked etcd Topology: etcd runs alongside the control plane components on the same master nodes. Easier to manage, requires minimum 3 master nodes.
- External etcd Topology: etcd runs on entirely separate servers. This is highly resilient and allows you to scale the control plane and etcd independently, but it requires much more infrastructure overhead.
DevSecOps Architect Level: Hardening the Cluster
Bootstrapping is just the beginning. Security must be baked in from the ground up.
- CIS Benchmarks Integration: Immediately after
kubeadm init, you must validate the configuration against CIS (Center for Internet Security) standards. Use tools like kube-bench to automatically scan your new master and worker nodes to ensure API server flags, kubelet configs, and file permissions are hardened. - Certificate Rotation Strategy:
kubeadmgenerates certificates with a 1-year expiration. A DevSecOps pipeline must include automated monitoring of these certificates and automated renewal strategies (usingkubeadm certs renewvia a secure cron job or automation platform like Ansible). - KMS Provider for Secret Encryption: By default, Kubernetes Secrets are stored in plain base64 in etcd. You must configure
kubeadmvia theEncryptionConfigurationfile to use a KMS (Key Management Service) plugin to encrypt secrets at rest in etcd. You inject this by adding the--encryption-provider-configflag into theapiServer.extraArgssection of your kubeadm config file. - Auditing: Modify the
kubeadmapiServer.extraArgsto enable Advanced Audit Logging (e.g.,--audit-log-path,--audit-policy-file) so every API call is logged and shipped to a SIEM tool.
Additional Details
- Key Components
- kubeadm: The command-line utility used to bootstrap the cluster.
- kubelet: The node agent that runs on every machine and actually starts the containers.
- kubectl: The command-line tool used to talk to the cluster API once it is up and running.
- Key Characteristics
- Idempotent phases: You can run
kubeadmphases multiple times safely. - Declarative configuration: Supports YAML-based cluster configurations.
- Modular: Follows the Unix philosophy of doing one thing (bootstrapping) very well.
- Idempotent phases: You can run
- Use Case
- Setting up on-premise, bare-metal Kubernetes clusters.
- Creating highly customized clusters in cloud environments where managed services (EKS/AKS) are too restrictive.
- Building edge computing Kubernetes environments.
- Benefits
- Standardized: Built and maintained by the official Kubernetes SIG-Cluster-Lifecycle team.
- Easy Upgrades:
kubeadm upgrademakes version bumps incredibly smooth. - Secure by Default: Implements RBAC, secure node bootstrappers, and proper TLS out of the box.
- Best Practices
- Always use a
kubeadm-config.yamlfile instead of passing dozens of command-line flags. Store this file in a Git repository (GitOps). - Always set up a Highly Available (HA) Control Plane with a load balancer placed in front of your master nodes.
- Automate your etcd backups from day one.
- Always use a
- Technical Challenges
- Managing underlying OS dependencies (kernel modules like
br_netfilter, container runtimes, systemd settings). - Managing the external Load Balancer for the API server in a bare-metal environment (often requires external tools like HAProxy or Keepalived).
- Managing underlying OS dependencies (kernel modules like
- Limitations
- It does NOT provision infrastructure (VMs, networks, firewalls).
- It does NOT install a CNI (Network) or CSI (Storage) plugin out of the box.
- Common Issues
- Pre-flight checks failing: Usually due to Swap being enabled, port 6443 being blocked, or the container runtime socket not being found.
- Nodes stuck in ‘NotReady’ state: This happens 99% of the time because the administrator forgot to install a CNI plugin after running
kubeadm init.
- Problems and Solutions
| Problem | Symptom | Solution |
| Pre-flight checks failing | Errors during kubeadm init | Usually due to Swap being improperly configured, port 6443 being blocked, or the container runtime socket not being found. |
| Nodes stuck in ‘NotReady’ | kubectl get nodes shows NotReady | This happens 99% of the time because the administrator forgot to install a CNI plugin after running kubeadm init. |
| Certificates Expired | x509: certificate has expired error | Run kubeadm certs renew all on the master nodes and restart the API server pods. |
| Worker node won’t join | Connection refused or timeout during kubeadm join | Ensure the join token hasn’t expired (kubeadm token list). Check firewall rules between worker and master on port 6443. |
| CoreDNS Pending | CoreDNS pods are stuck in Pending or ContainerCreating | Install a CNI plugin (e.g., Calico or Cilium). CoreDNS requires a pod network to start properly. |
kubeadm list
Here is the comprehensive and detailed list of kubeadm commands, categorized by their role in the cluster lifecycle.
1. Cluster Bootstrapping and Teardown
These commands are the foundation of kubeadm, used to initially create the cluster, attach new nodes to it, or completely dismantle the setup.
| Command | Description and Common Usage |
kubeadm init | Bootstraps a new Kubernetes control-plane node. It generates certificates, kubeconfig files, and deploys the control plane components (API server, controller manager, scheduler, etcd). Common flags include --pod-network-cidr (specifies the pod network range) and --apiserver-advertise-address (sets the IP the API server will listen on). |
kubeadm init phase | Invokes specific phases of the init workflow individually (e.g., certs, kubeconfig, control-plane, etcd, mark-control-plane). Useful for customized bootstrapping or debugging. |
kubeadm join | Bootstraps a worker node or an additional control-plane node and joins it to an existing cluster. It requires a bootstrap token and the API server endpoint. Using the --control-plane flag promotes the joining node to a control plane instance for High Availability (HA) setups. |
kubeadm join phase | Executes individual phases of the join process (e.g., preflight, control-plane-prepare, kubelet-start). |
kubeadm reset | Reverts any changes made to the host by kubeadm init or kubeadm join. It stops the kubelet, removes cluster containers, cleans up networking configuration, and deletes generated certificates and kubeconfig files. |
kubeadm reset phase | Runs specific phases of the reset process, such as preflight, remove-etcd-member, or cleanup-node. |
2. Cluster Upgrades
Maintaining a Kubernetes cluster requires periodic upgrades. kubeadm provides a structured workflow for safely upgrading the control plane and node components.
| Command | Subcommand | Description and Common Usage |
kubeadm upgrade | plan | Checks the cluster’s current version against available versions. It verifies component compatibility and prints a recommended upgrade plan, including the exact apply command to execute. |
kubeadm upgrade | apply | Upgrades the primary control-plane node to a specified version. It handles upgrading the control plane pods (API server, etc.) and core add-ons like CoreDNS and kube-proxy. |
kubeadm upgrade | node | Upgrades the local kubelet configuration on worker nodes or secondary control-plane nodes to match the newly upgraded cluster version. |
3. Certificate Management
Kubernetes relies heavily on PKI (Public Key Infrastructure) for secure communication. kubeadm acts as a local Certificate Authority (CA) and manages these assets.
| Command | Subcommand | Description and Common Usage |
kubeadm certs | check-expiration | Inspects all certificates managed by kubeadm on the local node and displays their expiration dates and residual time. |
kubeadm certs | renew | Renews the certificates for the control plane. You can renew all certificates at once using kubeadm certs renew all or specify individual components like apiserver or etcd-server. |
kubeadm certs | generate-csr | Generates Certificate Signing Requests (CSRs) and corresponding private keys. This is used when integrating kubeadm with an external Certificate Authority instead of using the built-in CA. |
4. Bootstrap Token Management
Bootstrap tokens are used to establish trust between a joining node and the control plane before the node has been fully authenticated.
| Command | Subcommand | Description and Common Usage |
kubeadm token | create | Generates a new bootstrap token on the server. By default, tokens expire after 24 hours. You can use the --print-join-command flag to output the exact kubeadm join command required for new nodes. |
kubeadm token | list | Displays a list of all active bootstrap tokens in the cluster, including their usage purposes and expiration times. |
kubeadm token | delete | Revokes and removes a specific bootstrap token from the cluster, immediately preventing any new nodes from using it to join. |
kubeadm token | generate | Simply generates a randomly formatted token string locally without storing it in the cluster API. Useful for scripting automated deployments. |
5. Configuration and Image Management
These commands allow administrators to manage the underlying configuration files and pre-pull required container images to speed up the initialization process.
| Command | Subcommand | Description and Common Usage |
kubeadm config | print | Prints the default configuration objects. For example, kubeadm config print init-defaults outputs a YAML template that can be customized and passed to kubeadm init --config. |
kubeadm config | migrate | Reads an older version of a kubeadm configuration file and converts it to the latest supported API version. |
kubeadm config | images list | Outputs a list of the container images (and their exact tags) required by the control plane for the current or specified Kubernetes version. |
kubeadm config | images pull | Proactively pulls the required control plane container images to the local container runtime. This significantly speeds up the kubeadm init process and is highly recommended in environments with slow internet. |
6. Utility and Information
Miscellaneous commands for managing client access and verifying the tool’s status.
| Command | Subcommand | Description and Common Usage |
kubeadm kubeconfig | user | Outputs a valid kubeconfig file for a specified user. This allows administrators to generate authentication files with specific privileges (client certificates) to hand out to team members. |
kubeadm version | N/A | Prints the current version of the kubeadm binary, the compiler used, and the underlying platform architecture. |
Conclusion
Mastering kubeadm is a badge of honor for any DevSecOps engineer or Kubernetes architect. While managed cloud services are great, knowing exactly how to bootstrap, secure, and troubleshoot a cluster from the ground up gives you an unmatched understanding of Kubernetes internals. Practice it, break it, and fix it that is the true path to expertise.