Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started
Kubernetes Operations 2018

kubeadm Goes GA: Production-Ready Cluster Bootstrapping

K8s Guru
6 min read
#kubeadm #bootstrap #operations #cluster-lifecycle #kubernetes-1.13
kubeadm Goes GA: Production-Ready Cluster Bootstrapping

Table of Contents

Introduction

On December 4, 2018, with the release of Kubernetes 1.13, kubeadm reached General Availability (GA), marking a milestone in the evolution of Kubernetes bootstrapping. After two years of beta development, kubeadm had matured into a production-ready tool capable of creating, upgrading, and managing Kubernetes clusters with minimal operational overhead.

This mattered because kubeadm represented the official, cloud-agnostic path to Kubernetes. While managed services (EKS, AKS, GKE) handled control planes for cloud users, kubeadm remained the foundation for on-premises deployments, custom distributions, and teams needing full control over their infrastructure.

Historical note: kubeadm’s GA coincided with Kubernetes 1.13, which also introduced significant improvements to the Container Storage Interface (CSI) and Windows node support, making 1.13 a landmark release for production Kubernetes.

What GA Meant for kubeadm

Production Readiness

  • Stable API: The kubeadm configuration API (v1beta1) became stable, enabling reliable automation and tooling.
  • Upgrade Reliability: kubeadm upgrade workflows were battle-tested and supported in-place upgrades between minor versions.
  • Certificate Management: Improved certificate rotation and management, reducing operational toil.
  • HA Support: High availability setups with stacked or external etcd were production-ready.

Ecosystem Impact

  • Distribution Foundation: kubeadm became the base for many Kubernetes distributions (Rancher, OpenShift, and others).
  • CI/CD Integration: kubeadm’s predictable behavior made it ideal for automated cluster provisioning in CI/CD pipelines.
  • Educational Value: The official bootstrapping tool became the standard for learning Kubernetes internals.

kubeadm vs kubespray vs kops: On-Premises Comparison

Capabilitykubeadmkubespraykops (AWS)
Infrastructure ScopeCloud-agnostic, on-premisesCloud-agnostic, on-premisesAWS-specific
Deployment MethodBinary + config filesAnsible playbooksCLI + S3 state
HA SetupManual LB + kubeadm configAnsible-automatedAutomated multi-AZ
Upgradeskubeadm upgradeAnsible playbookskops rolling-update
NetworkingManual CNI installationCNI included in playbooksAdd-on management
Learning CurveModerateHigher (Ansible knowledge)Moderate (AWS knowledge)
CustomizationDeep (edit manifests)Deep (Ansible variables)Deep (cluster spec)
State ManagementLocal config filesAnsible inventoryS3-backed state
Best ForStandard setups, learningComplex, multi-nodeAWS-only deployments

Production Patterns with kubeadm GA

High Availability Setup

# Initialize first master with HA configuration
kubeadm init \
  --control-plane-endpoint "LOAD_BALANCER_DNS:6443" \
  --upload-certs \
  --pod-network-cidr=10.244.0.0/16 \
  --config=kubeadm-config.yaml

# Join additional masters
kubeadm join LOAD_BALANCER_DNS:6443 \
  --token <token> \
  --discovery-token-ca-cert-hash sha256:<hash> \
  --control-plane \
  --certificate-key <key> \
  --config=kubeadm-config.yaml

Configuration File Approach

kubeadm GA introduced stable configuration files (v1beta1), enabling declarative cluster setup:

apiVersion: kubeadm.k8s.io/v1beta1
kind: ClusterConfiguration
kubernetesVersion: v1.13.0
controlPlaneEndpoint: "LOAD_BALANCER_DNS:6443"
networking:
  podSubnet: "10.244.0.0/16"
  serviceSubnet: "10.96.0.0/12"
apiServer:
  extraArgs:
    feature-gates: "CSINodeInfo=true,CSIDriverRegistry=true"

Upgrade Workflow

# Plan upgrade (dry-run)
kubeadm upgrade plan

# Upgrade control plane
kubeadm upgrade apply v1.13.1

# Upgrade kubelet and kubectl on each node
apt-get update && apt-get install -y kubelet=1.13.1-00 kubectl=1.13.1-00
systemctl restart kubelet
  1. Infrastructure Provisioning: Use configuration management (Ansible, Terraform) to provision VMs with Docker/CRI-O, kubelet, and kubeadm.
  2. Load Balancer: Deploy HAProxy or nginx for API server load balancing (or use cloud LB if available).
  3. kubeadm Configuration: Define cluster configuration in YAML files for version control and repeatability.
  4. CNI Installation: Install Calico, Flannel, or Cilium immediately after kubeadm init.
  5. Add-Ons: Deploy CoreDNS, metrics-server, and monitoring stack via manifests or Helm.
  6. Certificate Management: Plan for certificate rotation before 1-year expiration.

Comparison: kubeadm vs kubespray

When to Choose kubeadm

  • Standard Deployments: You want a standard Kubernetes setup without extensive customization.
  • Learning Kubernetes: kubeadm’s simplicity makes it ideal for understanding cluster internals.
  • CI/CD Integration: Predictable behavior and configuration files work well in automated pipelines.
  • Small to Medium Clusters: For clusters with < 50 nodes, kubeadm’s manual steps are manageable.

When to Choose kubespray

  • Complex Infrastructure: You need Ansible-based automation for large, heterogeneous environments.
  • Bare Metal Deployments: kubespray’s Ansible playbooks handle hardware-specific configurations well.
  • Multi-Cloud Strategy: Ansible’s cloud-agnostic nature fits multi-cloud deployments.
  • Existing Ansible Workflows: If your team already uses Ansible, kubespray integrates naturally.

Practical Considerations

Certificate Management

kubeadm GA improved certificate handling, but operators still needed to plan for:

  • 1-Year Validity: Default certificates expire after 1 year; set calendar reminders for renewal.
  • Rotation Process: kubeadm alpha certs renew (alpha in 1.13) enabled certificate renewal without downtime.
  • Backup Strategy: Backup /etc/kubernetes/pki before upgrades or certificate operations.

Upgrade Coordination

While kubeadm upgrade automated much of the upgrade process, teams still needed to:

  • Plan Maintenance Windows: Coordinate upgrades during low-traffic periods.
  • Test in Staging: Always test upgrades in non-production environments first.
  • Monitor During Upgrades: Watch API server availability and pod scheduling during the process.
  • Handle Add-Ons: Verify CNI, DNS, and other add-ons support the target Kubernetes version.

Networking Choices

kubeadm doesn’t install CNI plugins, giving operators flexibility but requiring decisions:

  • Calico: Good for NetworkPolicy enforcement and BGP integration.
  • Flannel: Simple overlay networking, good for basic use cases.
  • Cilium: eBPF-based networking with advanced security features.
  • Weave Net: Simple setup with good multi-cloud support.

Getting Started with kubeadm GA

# Install kubeadm, kubelet, kubectl
apt-get update && apt-get install -y apt-transport-https curl
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb https://apt.kubernetes.io/ kubernetes-xenial main
EOF
apt-get update
apt-get install -y kubelet kubeadm kubectl
apt-mark hold kubelet kubeadm kubectl

# Initialize cluster
kubeadm init --pod-network-cidr=10.244.0.0/16

# Install CNI (example: Calico)
kubectl apply -f https://docs.projectcalico.org/v3.8/manifests/calico.yaml

# Join worker nodes
kubeadm join <control-plane-ip>:6443 --token <token> --discovery-token-ca-cert-hash sha256:<hash>

Caveats & Lessons Learned

  • Add-On Lifecycle: kubeadm doesn’t manage add-ons; operators must handle CNI, DNS, and monitoring separately.
  • State Management: Cluster state lives in /etc/kubernetes; backup this directory regularly.
  • Version Skew: kubeadm enforces Kubernetes version skew rules; plan upgrades carefully.
  • Load Balancer Dependency: HA setups require reliable load balancers; single points of failure can cause outages.

Common Failure Modes

  • “Certificate Expiration”: Not tracking certificate validity leads to sudden cluster failures; set renewal reminders.
  • “Upgrade Failures”: Upgrading without testing in staging can cause production outages; always test first.
  • “CNI Incompatibility”: Upgrading Kubernetes without verifying CNI compatibility breaks pod networking.

Conclusion

kubeadm’s graduation to GA in December 2018 marked the tool’s evolution from a beta experiment to a production-ready foundation for Kubernetes clusters. While managed services (EKS, AKS, GKE) handled control planes for cloud users, kubeadm remained essential for on-premises deployments, custom distributions, and teams needing full infrastructure control.

The stable API, reliable upgrade workflows, and HA support made kubeadm the official path to Kubernetes for self-managed environments. It would go on to power countless production clusters, serve as the foundation for Kubernetes distributions, and become the standard tool for learning and teaching Kubernetes internals.

For teams choosing between kubeadm, kubespray, and kops, the decision came down to infrastructure scope (cloud-agnostic vs AWS-only), deployment method (binary vs Ansible vs CLI), and operational preferences. kubeadm’s GA made it a viable, supported choice for any team willing to manage their own infrastructure.