This article is more than one year old. Older articles may contain outdated content. Check that the information in the page has not become incorrect since its publication.
As part of the Kubernetes v1.31 release, kubeadm is
adopting a new (v1beta4) version of
its configuration file format. Configuration in the previous v1beta3 format is now formally
deprecated, which means it's supported but you should migrate to v1beta4 and stop using
the deprecated format.
Support for v1beta3 configuration will be removed after a minimum of 3 Kubernetes minor releases.
In this article, I'll walk you through key changes; I'll explain about the kubeadm v1beta4 configuration format, and how to migrate from v1beta3 to v1beta4.
You can read the reference for the v1beta4 configuration format: kubeadm Configuration (v1beta4).
This version improves on the v1beta3 format by fixing some minor issues and adding a few new fields.
To put it simply,
dryRun mode and nodeRegistration.imagePullSerial are supportedcertificateValidityPeriod,
caCertificateValidityPeriod, encryptionAlgorithm, dns.disabled and proxy.disabled.extraEnvs for all control plan componentsextraArgs changed from a map to structured extra arguments for duplicatestimeouts structure for init, join, upgrade and reset.For details, you can see the official document below:
ClusterConfiguration.
Use apiServer.extraEnvs, controllerManager.extraEnvs, scheduler.extraEnvs, etcd.local.extraEnvs.--config file to kubeadm reset.dryRun mode is now configurable in InitConfiguration and JoinConfiguration.ClusterConfiguration - apiServer.extraArgs, controllerManager.extraArgs,
scheduler.extraArgs, etcd.local.extraArgs. Also to nodeRegistrationOptions.kubeletExtraArgs.ClusterConfiguration.encryptionAlgorithm that can be used to set the asymmetric encryption
algorithm used for this cluster's keys and certificates. Can be one of "RSA-2048" (default), "RSA-3072",
"RSA-4096" or "ECDSA-P256".ClusterConfiguration.dns.disabled and ClusterConfiguration.proxy.disabled that can be used
to disable the CoreDNS and kube-proxy addons during cluster initialization.
Skipping the related addons phases, during cluster creation will set the same fields to true.nodeRegistration.imagePullSerial field in InitConfiguration and JoinConfiguration,
which can be used to control if kubeadm pulls images serially or in parallel.--config to
kubeadm upgrade subcommands.
For upgrade subcommands, the usage of component configuration for kubelet and kube-proxy, as well as
InitConfiguration and ClusterConfiguration, is now deprecated and will be ignored when passing --config.timeouts structure to InitConfiguration, JoinConfiguration, ResetConfiguration and
UpgradeConfiguration that can be used to configure various timeouts.
The ClusterConfiguration.timeoutForControlPlane field is replaced by timeouts.controlPlaneComponentHealthCheck.
The JoinConfiguration.discovery.timeout is replaced by timeouts.discovery.certificateValidityPeriod and caCertificateValidityPeriod fields to ClusterConfiguration.
These fields can be used to control the validity period of certificates generated by kubeadm during
sub-commands such as init, join, upgrade and certs.
Default values continue to be 1 year for non-CA certificates and 10 years for CA certificates.
Also note that only non-CA certificates are renewable by kubeadm certs renew.These changes simplify the configuration of tools that use kubeadm and improve the extensibility of kubeadm itself.
If your configuration is not using the latest version, it is recommended that you migrate using the kubeadm config migrate command.
This command reads an existing configuration file that uses the old format, and writes a new file that uses the current format.
Using kubeadm v1.31, run kubeadm config migrate --old-config old-v1beta3.yaml --new-config new-v1beta4.yaml
Huge thanks to all the contributors who helped with the design, implementation, and review of this feature:
For those interested in getting involved in future discussions on kubeadm configuration, you can reach out kubeadm or SIG-cluster-lifecycle by several means: