#KubeadmConfig [bootstrap.cluster.x-k8s.io/v1beta1]

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.

spec is the desired state of KubeadmConfig.

status is the observed state of KubeadmConfig.

bootCommands specifies extra commands to run very early in the boot process via the cloud-init bootcmd module. bootcmd will run on every boot, 'cloud-init-per' command can be used to make bootcmd run exactly once. This is typically run in the cloud-init.service systemd unit. This has no effect in Ignition.

clusterConfiguration along with InitConfiguration are the configurations necessary for the init command

diskSetup specifies options for the creation of partition tables and file systems on devices.

files specifies extra files to be passed to user_data upon creation.

format specifies the output format of the bootstrap data

ignition contains Ignition specific configuration.

initConfiguration along with ClusterConfiguration are the configurations necessary for the init command

joinConfiguration is the kubeadm configuration for the join command

mounts specifies a list of mount points to be setup.

ntp specifies NTP configuration

postKubeadmCommands specifies extra commands to run after kubeadm runs. With cloud-init, this is appended to the runcmd module configuration, and is typically executed in the cloud-final.service systemd unit. In Ignition, this is appended to /etc/kubeadm.sh.

preKubeadmCommands specifies extra commands to run before kubeadm runs. With cloud-init, this is prepended to the runcmd module configuration, and is typically executed in the cloud-final.service systemd unit. In Ignition, this is prepended to /etc/kubeadm.sh.

useExperimentalRetryJoin replaces a basic kubeadm command with a shell script with retries for joins.

This is meant to be an experimental temporary workaround on some environments where joins fail due to timing (and other issues). The long term goal is to add retries to kubeadm proper and use that functionality.

This will add about 40KB to userdata

For more information, refer to https://github.com/kubernetes-sigs/cluster-api/pull/2763#discussion_r397306055.

Deprecated: This experimental fix is no longer needed and this field will be removed in a future release. When removing also remove from staticcheck exclude-rules for SA1019 in golangci.yml

users specifies extra users to add

verbosity is the number for the kubeadm log level verbosity. It overrides the --v flag in kubeadm commands.

apiServer contains extra settings for the API server control plane component

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

certificatesDir specifies where to store or look for all required certificates. NB: if not provided, this will default to /etc/kubernetes/pki

clusterName is the cluster name

controlPlaneEndpoint sets a stable IP address or DNS name for the control plane; it can be a valid IP address or a RFC-1123 DNS subdomain, both with optional TCP port. In case the ControlPlaneEndpoint is not specified, the AdvertiseAddress + BindPort are used; in case the ControlPlaneEndpoint is specified but without a TCP port, the BindPort is used. Possible usages are: e.g. In a cluster with more than one control plane instances, this field should be assigned the address of the external load balancer in front of the control plane instances. e.g. in environments with enforced node recycling, the ControlPlaneEndpoint could be used for assigning a stable DNS to the control plane. NB: This value defaults to the first value in the Cluster object status.apiEndpoints array.

controllerManager contains extra settings for the controller manager control plane component

dns defines the options for the DNS add-on installed in the cluster.

etcd holds configuration for etcd. NB: This value defaults to a Local (stacked) etcd

featureGates enabled by the user.

imageRepository sets the container registry to pull images from.

• If not set, the default registry of kubeadm will be used, i.e.
  • registry.k8s.io (new registry): >= v1.22.17, >= v1.23.15, >= v1.24.9, >= v1.25.0
  • k8s.gcr.io (old registry): all older versions Please note that when imageRepository is not set we don't allow upgrades to versions >= v1.22.0 which use the old registry (k8s.gcr.io). Please use a newer patch version with the new registry instead (i.e. >= v1.22.17,

  = v1.23.15, >= v1.24.9, >= v1.25.0).

• If the version is a CI build (kubernetes version starts with ci/ or ci-cross/) gcr.io/k8s-staging-ci-images will be used as a default for control plane components and for kube-proxy, while registry.k8s.io will be used for all the other images.

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

kubernetesVersion is the target version of the control plane. NB: This value defaults to the Machine object spec.version

networking holds configuration for the networking topology of the cluster. NB: This value defaults to the Cluster object spec.clusterNetwork.

scheduler contains extra settings for the scheduler control plane component

certSANs sets extra Subject Alternative Names for the API Server signing cert.

extraArgs is an extra set of flags to pass to the control plane component.

extraEnvs is an extra set of environment variables to pass to the control plane component. Environment variables passed using ExtraEnvs will override any existing environment variables, or *_proxy environment variables that kubeadm adds by default. This option takes effect only on Kubernetes >=1.31.0.

extraVolumes is an extra set of host volumes, mounted to the control plane component.

timeoutForControlPlane controls the timeout that we use for API server to appear

Name of the environment variable. Must be a C_IDENTIFIER.

Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".

Source for the environment variable's value. Cannot be used if value is not empty.

Selects a key of a ConfigMap.

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

Selects a key of a secret in the pod's namespace

The key to select.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Specify whether the ConfigMap or its key must be defined

Version of the schema the FieldPath is written in terms of, defaults to "v1".

Path of the field to select in the specified API version.

Container name: required for volumes, optional for env vars

Specifies the output format of the exposed resources, defaults to "1"

Required: resource to select

The key of the secret to select from. Must be a valid secret key.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Specify whether the Secret or its key must be defined

hostPath is the path in the host that will be mounted inside the pod.

mountPath is the path inside the pod where hostPath will be mounted.

name of the volume inside the pod template.

pathType is the type of the HostPath.

readOnly controls write access to the volume

extraArgs is an extra set of flags to pass to the control plane component.

extraEnvs is an extra set of environment variables to pass to the control plane component. Environment variables passed using ExtraEnvs will override any existing environment variables, or *_proxy environment variables that kubeadm adds by default. This option takes effect only on Kubernetes >=1.31.0.

extraVolumes is an extra set of host volumes, mounted to the control plane component.

Name of the environment variable. Must be a C_IDENTIFIER.

Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".

Source for the environment variable's value. Cannot be used if value is not empty.

Selects a key of a ConfigMap.

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

Selects a key of a secret in the pod's namespace

The key to select.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Specify whether the ConfigMap or its key must be defined

Version of the schema the FieldPath is written in terms of, defaults to "v1".

Path of the field to select in the specified API version.

Container name: required for volumes, optional for env vars

Specifies the output format of the exposed resources, defaults to "1"

Required: resource to select

The key of the secret to select from. Must be a valid secret key.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Specify whether the Secret or its key must be defined

hostPath is the path in the host that will be mounted inside the pod.

mountPath is the path inside the pod where hostPath will be mounted.

name of the volume inside the pod template.

pathType is the type of the HostPath.

readOnly controls write access to the volume

imageRepository sets the container registry to pull images from. if not set, the ImageRepository defined in ClusterConfiguration will be used instead.

imageTag allows to specify a tag for the image. In case this value is set, kubeadm does not change automatically the version of the above components during upgrades.

external describes how to connect to an external etcd cluster Local and External are mutually exclusive

local provides configuration knobs for configuring the local etcd instance Local and External are mutually exclusive

caFile is an SSL Certificate Authority file used to secure etcd communication. Required if using a TLS connection.

certFile is an SSL certification file used to secure etcd communication. Required if using a TLS connection.

endpoints of etcd members. Required for ExternalEtcd.

keyFile is an SSL key file used to secure etcd communication. Required if using a TLS connection.

dataDir is the directory etcd will place its data. Defaults to "/var/lib/etcd".

extraArgs are extra arguments provided to the etcd binary when run inside a static pod.

extraEnvs is an extra set of environment variables to pass to the control plane component. Environment variables passed using ExtraEnvs will override any existing environment variables, or *_proxy environment variables that kubeadm adds by default. This option takes effect only on Kubernetes >=1.31.0.

imageRepository sets the container registry to pull images from. if not set, the ImageRepository defined in ClusterConfiguration will be used instead.

imageTag allows to specify a tag for the image. In case this value is set, kubeadm does not change automatically the version of the above components during upgrades.

peerCertSANs sets extra Subject Alternative Names for the etcd peer signing cert.

serverCertSANs sets extra Subject Alternative Names for the etcd server signing cert.

Name of the environment variable. Must be a C_IDENTIFIER.

Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".

Source for the environment variable's value. Cannot be used if value is not empty.

Selects a key of a ConfigMap.

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

Selects a key of a secret in the pod's namespace

The key to select.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Specify whether the ConfigMap or its key must be defined

Version of the schema the FieldPath is written in terms of, defaults to "v1".

Path of the field to select in the specified API version.

Container name: required for volumes, optional for env vars

Specifies the output format of the exposed resources, defaults to "1"

Required: resource to select

The key of the secret to select from. Must be a valid secret key.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Specify whether the Secret or its key must be defined

dnsDomain is the dns domain used by k8s services. Defaults to "cluster.local".

podSubnet is the subnet used by pods. If unset, the API server will not allocate CIDR ranges for every node. Defaults to a comma-delimited string of the Cluster object's spec.clusterNetwork.services.cidrBlocks if that is set

serviceSubnet is the subnet used by k8s services. Defaults to a comma-delimited string of the Cluster object's spec.clusterNetwork.pods.cidrBlocks, or to "10.96.0.0/12" if that's unset.

extraArgs is an extra set of flags to pass to the control plane component.

extraEnvs is an extra set of environment variables to pass to the control plane component. Environment variables passed using ExtraEnvs will override any existing environment variables, or *_proxy environment variables that kubeadm adds by default. This option takes effect only on Kubernetes >=1.31.0.

extraVolumes is an extra set of host volumes, mounted to the control plane component.

Name of the environment variable. Must be a C_IDENTIFIER.

Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".

Source for the environment variable's value. Cannot be used if value is not empty.

Selects a key of a ConfigMap.

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

Selects a key of a secret in the pod's namespace

The key to select.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Specify whether the ConfigMap or its key must be defined

Version of the schema the FieldPath is written in terms of, defaults to "v1".

Path of the field to select in the specified API version.

Container name: required for volumes, optional for env vars

Specifies the output format of the exposed resources, defaults to "1"

Required: resource to select

The key of the secret to select from. Must be a valid secret key.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Specify whether the Secret or its key must be defined

hostPath is the path in the host that will be mounted inside the pod.

mountPath is the path inside the pod where hostPath will be mounted.

name of the volume inside the pod template.

pathType is the type of the HostPath.

readOnly controls write access to the volume

filesystems specifies the list of file systems to setup.

partitions specifies the list of the partitions to setup.

device specifies the device name

extraOpts defined extra options to add to the command for creating the file system.

filesystem specifies the file system type.

label specifies the file system label to be used. If set to None, no label is used.

overwrite defines whether or not to overwrite any existing filesystem. If true, any pre-existing file system will be destroyed. Use with Caution.

partition specifies the partition to use. The valid options are: "auto|any", "auto", "any", "none", and , where NUM is the actual partition number.

replaceFS is a special directive, used for Microsoft Azure that instructs cloud-init to replace a file system of <FS_TYPE>. NOTE: unless you define a label, this requires the use of the 'any' partition directive.

device is the name of the device.

layout specifies the device layout. If it is true, a single partition will be created for the entire device. When layout is false, it means don't partition or ignore existing partitioning.

overwrite describes whether to skip checks and create the partition if a partition or filesystem is found on the device. Use with caution. Default is 'false'.

tableType specifies the tupe of partition table. The following are supported: 'mbr': default and setups a MS-DOS partition table 'gpt': setups a GPT partition table

append specifies whether to append Content to existing file if Path exists.

content is the actual content of the file.

contentFrom is a referenced source of content to populate the file.

encoding specifies the encoding of the file contents.

owner specifies the ownership of the file, e.g. "root:root".

path specifies the full path on disk where to store the file.

permissions specifies the permissions to assign to the file, e.g. "0640".

secret represents a secret that should populate this file.

key is the key in the secret's data map for this value.

name of the secret in the KubeadmBootstrapConfig's namespace to use.

containerLinuxConfig contains CLC specific configuration.

additionalConfig contains additional configuration to be merged with the Ignition configuration generated by the bootstrapper controller. More info: https://coreos.github.io/ignition/operator-notes/#config-merging

The data format is documented here: https://kinvolk.io/docs/flatcar-container-linux/latest/provisioning/cl-config/

strict controls if AdditionalConfig should be strictly parsed. If so, warnings are treated as errors.

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

bootstrapTokens is respected at kubeadm init time and describes a set of Bootstrap Tokens to create. This information IS NOT uploaded to the kubeadm cluster configmap, partly because of its sensitive nature

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

localAPIEndpoint represents the endpoint of the API server instance that's deployed on this control plane node In HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint in the sense that ControlPlaneEndpoint is the global endpoint for the cluster, which then loadbalances the requests to each individual API server. This configuration object lets you customize what IP/DNS name and port the local API server advertises it's accessible on. By default, kubeadm tries to auto-detect the IP of the default interface and use that, but in case that process fails you may set the desired value here.

nodeRegistration holds fields that relate to registering the new control-plane node to the cluster. When used in the context of control plane nodes, NodeRegistration should remain consistent across both InitConfiguration and JoinConfiguration

patches contains options related to applying patches to components deployed by kubeadm during "kubeadm init". The minimum kubernetes version needed to support Patches is v1.22

skipPhases is a list of phases to skip during command execution. The list of phases can be obtained with the "kubeadm init --help" command. This option takes effect only on Kubernetes >=1.22.0.

description sets a human-friendly message why this token exists and what it's used for, so other administrators can know its purpose.

expires specifies the timestamp when this token expires. Defaults to being set dynamically at runtime based on the TTL. Expires and TTL are mutually exclusive.

groups specifies the extra groups that this token will authenticate as when/if used for authentication

token is used for establishing bidirectional trust between nodes and control-planes. Used for joining nodes in the cluster.

ttl defines the time to live for this token. Defaults to 24h. Expires and TTL are mutually exclusive.

usages describes the ways in which this token can be used. Can by default be used for establishing bidirectional trust, but that can be changed here.

advertiseAddress sets the IP address for the API server to advertise.

bindPort sets the secure port for the API Server to bind to. Defaults to 6443.

criSocket is used to retrieve container runtime info. This information will be annotated to the Node API object, for later re-use

ignorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered.

imagePullPolicy specifies the policy for image pulling during kubeadm "init" and "join" operations. The value of this field must be one of "Always", "IfNotPresent" or "Never". Defaults to "IfNotPresent". This can be used only with Kubernetes version equal to 1.22 and later.

imagePullSerial specifies if image pulling performed by kubeadm must be done serially or in parallel. This option takes effect only on Kubernetes >=1.31.0. Default: true (defaulted in kubeadm)

kubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config-1.X ConfigMap Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on.

name is the .Metadata.Name field of the Node API object that will be created in this kubeadm init or kubeadm join operation. This field is also used in the CommonName field of the kubelet's client certificate to the API server. Defaults to the hostname of the node if not provided.

taints specifies the taints the Node API object should be registered with. If this field is unset, i.e. nil, in the kubeadm init process it will be defaulted to []v1.Taint{'node-role.kubernetes.io/master=""'}. If you don't want to taint your control-plane node, set this field to an empty slice, i.e. taints: [] in the YAML file. This field is solely used for Node registration.

Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.

Required. The taint key to be applied to a node.

TimeAdded represents the time at which the taint was added. It is only written for NoExecute taints.

The taint value corresponding to the taint key.

directory is a path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "target" can be one of "kube-apiserver", "kube-controller-manager", "kube-scheduler", "etcd". "patchtype" can be one of "strategic" "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically. These files can be written into the target directory via KubeadmConfig.Files which specifies additional files to be created on the machine, either with content inline or by referencing a secret.

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

caCertPath is the path to the SSL certificate authority used to secure comunications between node and control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".

controlPlane defines the additional control plane instance to be deployed on the joining node. If nil, no additional control plane instance will be deployed.

discovery specifies the options for the kubelet to use during the TLS Bootstrap process

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

nodeRegistration holds fields that relate to registering the new control-plane node to the cluster. When used in the context of control plane nodes, NodeRegistration should remain consistent across both InitConfiguration and JoinConfiguration

patches contains options related to applying patches to components deployed by kubeadm during "kubeadm join". The minimum kubernetes version needed to support Patches is v1.22

skipPhases is a list of phases to skip during command execution. The list of phases can be obtained with the "kubeadm init --help" command. This option takes effect only on Kubernetes >=1.22.0.

localAPIEndpoint represents the endpoint of the API server instance to be deployed on this node.

advertiseAddress sets the IP address for the API server to advertise.

bindPort sets the secure port for the API Server to bind to. Defaults to 6443.

bootstrapToken is used to set the options for bootstrap token based discovery BootstrapToken and File are mutually exclusive

file is used to specify a file or URL to a kubeconfig file from which to load cluster information BootstrapToken and File are mutually exclusive

timeout modifies the discovery timeout

tlsBootstrapToken is a token used for TLS bootstrapping. If .BootstrapToken is set, this field is defaulted to .BootstrapToken.Token, but can be overridden. If .File is set, this field must be set in case the KubeConfigFile does not contain any other authentication information

apiServerEndpoint is an IP or domain name to the API server from which info will be fetched.

caCertHashes specifies a set of public key pins to verify when token-based discovery is used. The root CA found during discovery must match one of these values. Specifying an empty set disables root CA pinning, which can be unsafe. Each hash is specified as ":", where the only currently supported type is "sha256". This is a hex-encoded SHA-256 hash of the Subject Public Key Info (SPKI) object in DER-encoded ASN.1. These hashes can be calculated using, for example, OpenSSL: openssl x509 -pubkey -in ca.crt openssl rsa -pubin -outform der 2>&/dev/null | openssl dgst -sha256 -hex

token is a token used to validate cluster information fetched from the control-plane.

unsafeSkipCAVerification allows token-based discovery without CA verification via CACertHashes. This can weaken the security of kubeadm since other nodes can impersonate the control-plane.

kubeConfig is used (optionally) to generate a KubeConfig based on the KubeadmConfig's information. The file is generated at the path specified in KubeConfigPath.

Host address (server field) information is automatically populated based on the Cluster's ControlPlaneEndpoint. Certificate Authority (certificate-authority-data field) is gathered from the cluster's CA secret.

kubeConfigPath is used to specify the actual file path or URL to the kubeconfig file from which to load cluster information

cluster contains information about how to communicate with the kubernetes cluster.

By default the following fields are automatically populated:

• Server with the Cluster's ControlPlaneEndpoint.
• CertificateAuthorityData with the Cluster's CA certificate.

user contains information that describes identity information. This is used to tell the kubernetes cluster who you are.

certificateAuthorityData contains PEM-encoded certificate authority certificates.

Defaults to the Cluster's CA certificate if empty.

insecureSkipTLSVerify skips the validity check for the server's certificate. This will make your HTTPS connections insecure.

proxyURL is the URL to the proxy to be used for all requests made by this client. URLs with "http", "https", and "socks5" schemes are supported. If this configuration is not provided or the empty string, the client attempts to construct a proxy configuration from http_proxy and https_proxy environment variables. If these environment variables are not set, the client does not attempt to proxy requests.

socks5 proxying does not currently support spdy streaming endpoints (exec, attach, port forward).

server is the address of the kubernetes cluster (https://hostname:port).

Defaults to https:// + Cluster.Spec.ControlPlaneEndpoint.

tlsServerName is used to check server certificate. If TLSServerName is empty, the hostname used to contact the server is used.

authProvider specifies a custom authentication plugin for the kubernetes cluster.

exec specifies a custom exec-based authentication plugin for the kubernetes cluster.

config holds the parameters for the authentication plugin.

name is the name of the authentication plugin.

apiVersion is preferred input version of the ExecInfo. The returned ExecCredentials MUST use the same encoding version as the input. Defaults to client.authentication.k8s.io/v1 if not set.

args is the arguments to pass to the command when executing it.

command to execute.

env defines additional environment variables to expose to the process. These are unioned with the host's environment, as well as variables client-go uses to pass argument to the plugin.

provideClusterInfo determines whether or not to provide cluster information, which could potentially contain very large CA data, to this exec plugin as a part of the KUBERNETES_EXEC_INFO environment variable. By default, it is set to false. Package k8s.io/client-go/tools/auth/exec provides helper methods for reading this environment variable.

name of the environment variable

value of the environment variable

criSocket is used to retrieve container runtime info. This information will be annotated to the Node API object, for later re-use

ignorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered.

imagePullPolicy specifies the policy for image pulling during kubeadm "init" and "join" operations. The value of this field must be one of "Always", "IfNotPresent" or "Never". Defaults to "IfNotPresent". This can be used only with Kubernetes version equal to 1.22 and later.

imagePullSerial specifies if image pulling performed by kubeadm must be done serially or in parallel. This option takes effect only on Kubernetes >=1.31.0. Default: true (defaulted in kubeadm)

kubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config-1.X ConfigMap Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on.

name is the .Metadata.Name field of the Node API object that will be created in this kubeadm init or kubeadm join operation. This field is also used in the CommonName field of the kubelet's client certificate to the API server. Defaults to the hostname of the node if not provided.

taints specifies the taints the Node API object should be registered with. If this field is unset, i.e. nil, in the kubeadm init process it will be defaulted to []v1.Taint{'node-role.kubernetes.io/master=""'}. If you don't want to taint your control-plane node, set this field to an empty slice, i.e. taints: [] in the YAML file. This field is solely used for Node registration.

Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.

Required. The taint key to be applied to a node.

TimeAdded represents the time at which the taint was added. It is only written for NoExecute taints.

The taint value corresponding to the taint key.

directory is a path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "target" can be one of "kube-apiserver", "kube-controller-manager", "kube-scheduler", "etcd". "patchtype" can be one of "strategic" "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically. These files can be written into the target directory via KubeadmConfig.Files which specifies additional files to be created on the machine, either with content inline or by referencing a secret.

enabled specifies whether NTP should be enabled

servers specifies which NTP servers to use

gecos specifies the gecos to use for the user

groups specifies the additional groups for the user

homeDir specifies the home directory to use for the user

inactive specifies whether to mark the user as inactive

lockPassword specifies if password login should be disabled

name specifies the user name

passwd specifies a hashed password for the user

passwdFrom is a referenced source of passwd to populate the passwd.

primaryGroup specifies the primary group for the user

shell specifies the user's shell

sshAuthorizedKeys specifies a list of ssh authorized keys for the user

sudo specifies a sudo role for the user

secret represents a secret that should populate this password.

key is the key in the secret's data map for this value.

name of the secret in the KubeadmBootstrapConfig's namespace to use.

conditions defines current service state of the KubeadmConfig.

dataSecretName is the name of the secret that stores the bootstrap data script.

failureMessage will be set on non-retryable errors

Deprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details.

failureReason will be set on non-retryable errors

Deprecated: This field is deprecated and is going to be removed in the next apiVersion. Please see https://github.com/kubernetes-sigs/cluster-api/blob/main/docs/proposals/20240916-improve-status-in-CAPI-resources.md for more details.

observedGeneration is the latest generation observed by the controller.

ready indicates the BootstrapData field is ready to be consumed

v1beta2 groups all the fields that will be added or modified in KubeadmConfig's status with the V1Beta2 version.

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

message is a human readable message indicating details about the transition. This field may be empty.

reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty.

severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False.

status of the condition, one of True, False, Unknown.

type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important.

conditions represents the observations of a KubeadmConfig's current state. Known condition types are Ready, DataSecretAvailable, CertificatesAvailable.

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

message is a human readable message indicating details about the transition. This may be an empty string.

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

status of the condition, one of True, False, Unknown.

type of condition in CamelCase or in foo.example.com/CamelCase.