kubernetes

kubeadm Config Generator

Generate a production-ready kubeadm-config.yaml for bootstrapping a Kubernetes cluster. Outputs ClusterConfiguration, InitConfiguration, and KubeletConfiguration.

Generator

Inputs

Kubernetes Version

Control Plane Endpoint

The stable IP or domain for the K8s API. For HA: use your HAProxy Floating IP. For single node: use the node IP.

Pod CIDR

Flannel default: 10.244.0.0/16. Calico: 192.168.0.0/16. Cilium: 10.0.0.0/8.

Service CIDR

Default Kubernetes service subnet. Don't change unless it conflicts with your network.

Container Runtime

Node Name

Hostname of the first control plane node. Must match the actual hostname.

Extra Certificate SANs

Comma-separated extra IPs or domains to include in the API server TLS cert.

Output — kubeadm-config.yaml

# Generated by K8sCalc — kubeadm-config-generator
# Apply with: kubeadm init --config kubeadm-config.yaml
---
apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
kubernetesVersion: v1.32.0
controlPlaneEndpoint: "10.0.0.100:6443"
networking:
  podSubnet: "10.244.0.0/16"
  serviceSubnet: "10.96.0.0/12"
apiServer:
  certSANs:
    - "10.0.0.100"
---
apiVersion: kubeadm.k8s.io/v1beta3
kind: InitConfiguration
nodeRegistration:
  criSocket: unix:///var/run/containerd/containerd.sock
  name: master-1
---
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
cgroupDriver: systemd

kubeadm Configuration Deep Dive

kubeadm uses a configuration file to avoid long command-line flags and make cluster initialization reproducible. The config file supports multiple API objects separated by ---.

Key Configuration Objects

ClusterConfiguration  — cluster-wide settings (version, networking, cert SANs)
InitConfiguration     — first control plane node settings (CRI socket, node name)
JoinConfiguration     — settings for additional nodes joining the cluster
KubeletConfiguration  — kubelet settings applied to all nodes via kubeadm

ControlPlaneEndpoint

This is the most critical field for HA clusters. It must be a stable address that survives individual node failures. Common approaches:

›HAProxy Floating IP (Keepalived + Hetzner Floating IP) — recommended for on-prem/VPS
›Cloud load balancer IP — for cloud providers with native LB
›Single node IP — acceptable for dev/non-HA clusters

certSANs

The API server TLS certificate must include every IP and hostname that clients will use to connect. Missing a SAN means kubectl will fail with a certificate error when connecting via that address. Always include:

›The controlPlaneEndpoint IP/hostname
›Each control plane node's IP
›localhost and 127.0.0.1 (added automatically)
›Any external hostname (e.g., k8s.company.com)

CRI Socket Paths

Runtime	Socket Path
containerd	unix:///var/run/containerd/containerd.sock
CRI-O	unix:///var/run/crio/crio.sock
Docker (deprecated)	unix:///var/run/dockershim.sock

Frequently Asked Questions

What is the controlPlaneEndpoint in kubeadm?

The controlPlaneEndpoint is the stable IP or DNS name that all nodes (and kubectl users) use to reach the Kubernetes API server. For HA clusters, this should be a Floating IP managed by HAProxy + Keepalived, not the IP of a specific control plane node.

How do I apply this config?

Save the generated file as kubeadm-config.yaml, then run: `sudo kubeadm init --config kubeadm-config.yaml --upload-certs`. The --upload-certs flag is required to add more control plane nodes later.

What Pod CIDR should I use for Flannel vs Calico?

Flannel requires 10.244.0.0/16 by default (it's hardcoded in the Flannel manifest). Calico defaults to 192.168.0.0/16 but can use any range. Cilium works with any CIDR. Make sure your Pod CIDR doesn't overlap with your node network.

How do I join additional control plane nodes?

After kubeadm init completes, it prints a join command with a token. For control plane nodes, use: `kubeadm join <endpoint>:6443 --token <token> --discovery-token-ca-cert-hash <hash> --control-plane --certificate-key <key>`. The certificate-key is output when you use --upload-certs during init.

Related Calculators

K8s Cluster Cost K8s Upgrade Path Cert Expiry