I've lost the original 'kubeadm join' command when I previously ran kubeadm init.

How can I retrieve this value again?

kubeadm token create --print-join-command

To print a join command for a new worker node use:

• kubeadm token create --print-join-command

But if you need to join a new control plane node, you need to recreate a new key for the control plane join command. This can be done with three simple steps:

1. Re upload certificates in the already working master node with kubeadm init phase upload-certs --upload-certs. That will generate a new certificate key.

2. Print join command in the already working master node with kubeadm token create --print-join-command.

3. Join a new control plane node with $JOIN_COMMAND_FROM_STEP2 --control-plane --certificate-key $KEY_FROM_STEP1.

This might not work for the old Kubernetes versions but I tried with the new version and it worked for me.

To create kubeadm join command, please run the following commands:

Step 1 - Retrieve Token CA Hash:

openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt \
    | openssl rsa -pubin -outform der 2>/dev/null \
    | openssl dgst -sha256 -hex \
    | sed 's/^.* //'

This command will provide you public key.

Step 2 - Retrieve bootstrap Tokens:

kubeadm token list

This will print all tokens, so copy the token value under TOKEN with the description "The default bootstrap token generated by kubeadm init."

Step 3 - Creates kubeadm init command:

Now use following syntax to create join command without creating a new token:

kubeadm join <ip-address>:6443\
    --token=<token-from-step-2> \
    --discovery-token-ca-cert-hash sha256:<ca-hash-from-step-1>

kubeadm token create command creates a new token, in this case without any description, so for you not to create any additional tokens, just pick the token which has a DESCRIPTION as mentioned in Step 2.

Run the below command on your master node machine.

kubeadm token create --print-join-command

This command will generate the new token as well as the join command which you can use at your worker node to join the cluster.

If you are joining control plane nodes, you will need a certificate key in the command too:

kubeadm token create \
--print-join-command \
--certificate-key \
$(kubeadm alpha certs certificate-key)

The kubeadm alpha certs certificate-key command will generate a new certificate key on demand as per the documentation here

To Join a worker node, the command kubeadm token create --print-join-command given in the accepted answer is sufficient

Building off @Abhishek Jain's answer, here's a script to print the kubeadm join command with a little help from jq:

# get the join command from the kube master
CERT_HASH=$(openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt \
| openssl rsa -pubin -outform der 2>/dev/null \
| openssl dgst -sha256 -hex \
| sed 's/^.* //')
TOKEN=$(kubeadm token list -o json | jq -r '.token' | head -1)
IP=$(kubectl get nodes -lnode-role.kubernetes.io/master -o json \
| jq -r '.items[0].status.addresses[] | select(.type=="InternalIP") | .address')
PORT=6443
echo "sudo kubeadm join $IP:$PORT \
--token=$TOKEN --discovery-token-ca-cert-hash sha256:$CERT_HASH"

Here is a bash script that automate this task

read -p 'master ip address : ' ipaddr
sha_token = "$(openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //')"
token = "$(kubeadm token list | awk '{print $1}' | sed -n '2 p')"
echo "kubeadm join $ipaddr:6443 --token=$token --discovery-token-ca-cert-hash sha256:$sha_token"