Kubeadm

kubeadm is Kubernetes’ official bootstrap tool for creating production-ready clusters. It automates the complex process of setting up a Kubernetes control plane and joining worker nodes, handling certificate generation, component configuration, and cluster initialization. Think of kubeadm as a construction crew that knows exactly how to build a Kubernetes cluster—it handles the technical details so you don’t have to manually configure each component.

While managed Kubernetes services (like EKS, GKE, or AKS) handle cluster creation for you, kubeadm is essential when you need to run Kubernetes on your own infrastructure—on-premises data centers, edge locations, virtual machines, or any environment where you manage the underlying infrastructure yourself.

What Is kubeadm?

kubeadm is a command-line tool that performs the necessary operations to get a minimum viable Kubernetes cluster running. It doesn’t install or manage the container runtime or kubelet (you do that separately), but it orchestrates everything else needed for a functional cluster.

kubeadm handles:

Certificate Generation - Creates all the certificates needed for secure communication between cluster components
Control Plane Setup - Initializes the API server, etcd, controller manager, and scheduler
Component Configuration - Generates kubeconfig files and manifests for all control plane components
Node Joining - Provides tokens and commands for adding worker nodes to the cluster
Cluster Information - Prints join commands and cluster status

graph TB A[kubeadm init] --> B[Generate Certificates] B --> C[Create etcd] C --> D[Start API Server] D --> E[Start Controller Manager] E --> F[Start Scheduler] F --> G[Generate kubeconfig] G --> H[Print Join Command] I[Worker Node] --> J[kubeadm join] J --> K[Receive Token] K --> L[Connect to API Server] L --> M[Register Node] M --> N[Node Ready] style A fill:#e1f5ff style B fill:#fff4e1 style C fill:#fff4e1 style D fill:#e8f5e9 style E fill:#e8f5e9 style F fill:#e8f5e9 style J fill:#e1f5ff style L fill:#fff4e1 style N fill:#e8f5e9

kubeadm vs. Managed Services

Understanding when to use kubeadm helps clarify its role:

Use kubeadm when:

Running Kubernetes on your own infrastructure (on-premises, edge, VMs)
You need full control over cluster configuration and lifecycle
Building custom Kubernetes distributions or platforms
Learning how Kubernetes clusters are assembled
Managing clusters in environments where managed services aren’t available

Use managed services when:

Running in public clouds (EKS, GKE, AKS)
You want the cloud provider to handle control plane management
You prefer to focus on applications rather than infrastructure
You need integrated cloud services and features

kubeadm and managed services aren’t mutually exclusive—many managed Kubernetes platforms use kubeadm internally as part of their cluster creation process.

Cluster Creation Process

kubeadm follows a two-phase approach:

Phase 1: Control Plane Initialization

The first node runs kubeadm init, which:

Validates Prerequisites - Checks that the container runtime and kubelet are installed and running
Generates Certificates - Creates a complete PKI (Public Key Infrastructure) with certificates for all components
Generates kubeconfig Files - Creates configuration files for kubelet, controller-manager, scheduler, and admin
Starts etcd - Initializes and starts the etcd datastore (or configures external etcd)
Starts Control Plane Components - Launches API server, controller manager, and scheduler as static pods
Installs Core Add-ons - Sets up core DNS and kube-proxy
Prints Join Commands - Displays the token and command needed for worker nodes to join

Phase 2: Node Joining

Worker nodes run kubeadm join, which:

Connects to API Server - Uses the join token to authenticate with the control plane
Downloads Cluster Configuration - Retrieves cluster information and certificates
Registers Node - Creates a Node object in the cluster
Configures kubelet - Sets up kubelet to connect to the API server
Starts kube-proxy - Installs the network proxy component

sequenceDiagram participant Admin participant ControlPlane participant Worker1 participant Worker2 Admin->>ControlPlane: kubeadm init ControlPlane->>ControlPlane: Generate PKI ControlPlane->>ControlPlane: Start etcd ControlPlane->>ControlPlane: Start API Server ControlPlane->>ControlPlane: Start Components ControlPlane->>Admin: Join command + token Admin->>Worker1: kubeadm join <token> Worker1->>ControlPlane: Authenticate ControlPlane->>Worker1: Cluster config Worker1->>ControlPlane: Register node Worker1->>Worker1: Start kubelet Admin->>Worker2: kubeadm join <token> Worker2->>ControlPlane: Authenticate ControlPlane->>Worker2: Cluster config Worker2->>ControlPlane: Register node Worker2->>Worker2: Start kubelet

Certificate Management

One of kubeadm’s most important responsibilities is managing the cluster’s PKI. Kubernetes uses certificates extensively for:

API Server - Serving HTTPS traffic and authenticating clients
etcd - Securing communication between etcd peers and clients
kubelet - Authenticating to the API server
Service Accounts - Signing service account tokens

kubeadm generates all necessary certificates during initialization and can renew them when they expire. The certificate lifecycle is a critical operational concern covered in the Certificates & PKI topic.

kubeadm Configuration

While kubeadm works with defaults, you can customize cluster configuration through a config file. This allows you to:

Configure API server, etcd, and other component settings
Specify pod network CIDR ranges
Configure feature gates
Set up external etcd
Customize certificate validity periods
Configure control plane endpoints for high availability

Topics

Init & Join - Detailed guide to initializing control planes and joining nodes
Certificates & PKI - Understanding and managing cluster certificates