From 1fb2858494e7ba0c8dbc131d80c84760f9082a3e Mon Sep 17 00:00:00 2001
From: fabriziopandini <fabrizio.pandini@gmail.com>
Date: Fri, 24 Nov 2017 14:41:08 +0100
Subject: [PATCH 1/2] automatically-generated kubeadm reference doc

---
 .../setup-tools/kubeadm/generated/README.md   |  1 +
 .../setup-tools/kubeadm/generated/kubeadm.md  | 39 ++++++++++
 .../kubeadm/generated/kubeadm_alpha.md        |  8 ++
 .../kubeadm/generated/kubeadm_alpha_phase.md  |  8 ++
 .../generated/kubeadm_alpha_phase_addon.md    |  8 ++
 .../kubeadm_alpha_phase_addon_all.md          | 45 +++++++++++
 .../kubeadm_alpha_phase_addon_kube-dns.md     | 33 ++++++++
 .../kubeadm_alpha_phase_addon_kube-proxy.md   | 26 +++++++
 .../kubeadm_alpha_phase_bootstrap-token.md    | 14 ++++
 ...kubeadm_alpha_phase_bootstrap-token_all.md | 43 +++++++++++
 ...lpha_phase_bootstrap-token_cluster-info.md | 22 ++++++
 ...eadm_alpha_phase_bootstrap-token_create.md | 35 +++++++++
 ...ubeadm_alpha_phase_bootstrap-token_node.md | 14 ++++
 ...bootstrap-token_node_allow-auto-approve.md | 22 ++++++
 ...se_bootstrap-token_node_allow-post-csrs.md | 22 ++++++
 .../generated/kubeadm_alpha_phase_certs.md    |  8 ++
 .../kubeadm_alpha_phase_certs_all.md          | 39 ++++++++++
 ...ha_phase_certs_apiserver-kubelet-client.md | 23 ++++++
 .../kubeadm_alpha_phase_certs_apiserver.md    | 29 +++++++
 .../generated/kubeadm_alpha_phase_certs_ca.md | 23 ++++++
 ...ubeadm_alpha_phase_certs_front-proxy-ca.md | 23 ++++++
 ...dm_alpha_phase_certs_front-proxy-client.md | 23 ++++++
 .../generated/kubeadm_alpha_phase_certs_sa.md | 23 ++++++
 .../kubeadm_alpha_phase_controlplane.md       |  8 ++
 .../kubeadm_alpha_phase_controlplane_all.md   | 44 +++++++++++
 ...eadm_alpha_phase_controlplane_apiserver.md | 32 ++++++++
 ...a_phase_controlplane_controller-manager.md | 23 ++++++
 ...eadm_alpha_phase_controlplane_scheduler.md | 22 ++++++
 .../generated/kubeadm_alpha_phase_etcd.md     |  8 ++
 .../kubeadm_alpha_phase_etcd_local.md         | 32 ++++++++
 .../kubeadm_alpha_phase_kubeconfig.md         |  8 ++
 .../kubeadm_alpha_phase_kubeconfig_admin.md   | 24 ++++++
 .../kubeadm_alpha_phase_kubeconfig_all.md     | 36 +++++++++
 ...pha_phase_kubeconfig_controller-manager.md | 24 ++++++
 .../kubeadm_alpha_phase_kubeconfig_kubelet.md | 27 +++++++
 ...ubeadm_alpha_phase_kubeconfig_scheduler.md | 24 ++++++
 .../kubeadm_alpha_phase_kubeconfig_user.md    | 32 ++++++++
 .../kubeadm_alpha_phase_mark-master.md        | 32 ++++++++
 .../kubeadm_alpha_phase_preflight.md          |  8 ++
 .../kubeadm_alpha_phase_preflight_master.md   | 21 ++++++
 .../kubeadm_alpha_phase_preflight_node.md     | 21 ++++++
 .../kubeadm_alpha_phase_selfhosting.md        |  8 ++
 ...ase_selfhosting_convert-from-staticpods.md | 41 ++++++++++
 .../kubeadm_alpha_phase_upload-config.md      | 30 ++++++++
 .../kubeadm/generated/kubeadm_completion.md   | 49 ++++++++++++
 .../kubeadm/generated/kubeadm_config.md       | 23 ++++++
 .../generated/kubeadm_config_upload.md        | 18 +++++
 .../kubeadm_config_upload_from-file.md        | 30 ++++++++
 .../kubeadm_config_upload_from-flags.md       | 47 ++++++++++++
 .../kubeadm/generated/kubeadm_config_view.md  | 22 ++++++
 .../kubeadm/generated/kubeadm_init.md         | 40 ++++++++++
 .../kubeadm/generated/kubeadm_join.md         | 75 +++++++++++++++++++
 .../kubeadm/generated/kubeadm_reset.md        | 20 +++++
 .../kubeadm/generated/kubeadm_token.md        | 36 +++++++++
 .../kubeadm/generated/kubeadm_token_create.md | 36 +++++++++
 .../kubeadm/generated/kubeadm_token_delete.md | 24 ++++++
 .../generated/kubeadm_token_generate.md       | 29 +++++++
 .../kubeadm/generated/kubeadm_token_list.md   | 21 ++++++
 .../kubeadm/generated/kubeadm_upgrade.md      | 30 ++++++++
 .../generated/kubeadm_upgrade_apply.md        | 40 ++++++++++
 .../kubeadm/generated/kubeadm_upgrade_plan.md | 30 ++++++++
 .../kubeadm/generated/kubeadm_version.md      | 18 +++++
 skip_title_check.txt                          | 62 +++++++++++++++
 skip_toc_check.txt                            | 66 +++++++++++++++-
 64 files changed, 1750 insertions(+), 2 deletions(-)
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/README.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_all.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-dns.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-proxy.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_all.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_cluster-info.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_create.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-auto-approve.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-post-csrs.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_all.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver-kubelet-client.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_ca.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-ca.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-client.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_sa.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_all.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_apiserver.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_controller-manager.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_scheduler.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd_local.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_admin.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_all.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_controller-manager.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_kubelet.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_scheduler.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_user.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_mark-master.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_master.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_node.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting_convert-from-staticpods.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_upload-config.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_completion.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_config.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-file.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-flags.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_config_view.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_join.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_token_generate.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_token_list.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_apply.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md
 create mode 100644 docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md

diff --git a/docs/reference/setup-tools/kubeadm/generated/README.md b/docs/reference/setup-tools/kubeadm/generated/README.md
new file mode 100644
index 0000000000000..020bc76f624cd
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/README.md
@@ -0,0 +1 @@
+All files in this directory are auto-generated from other repos. **Do not edit them manually. You must edit them in their upstream repo.**
\ No newline at end of file
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm.md
new file mode 100644
index 0000000000000..0990c72c0c84e
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm.md
@@ -0,0 +1,39 @@
+
+kubeadm: easily bootstrap a secure Kubernetes cluster
+
+### Synopsis
+
+
+
+kubeadm: easily bootstrap a secure Kubernetes cluster.
+
+    ┌──────────────────────────────────────────────────────────┐
+    │ KUBEADM IS CURRENTLY IN BETA                             │
+    │                                                          │
+    │ But please, try it out and give us feedback at:          │
+    │ https://github.com/kubernetes/kubeadm/issues             │
+    │ and at-mention @kubernetes/sig-cluster-lifecycle-bugs    │
+    │ or @kubernetes/sig-cluster-lifecycle-feature-requests    │
+    └──────────────────────────────────────────────────────────┘
+
+Example usage:
+
+    Create a two-machine cluster with one master (which controls the cluster),
+    and one node (where your workloads, like Pods and Deployments run).
+
+    ┌──────────────────────────────────────────────────────────┐
+    │ On the first machine:                                    │
+    ├──────────────────────────────────────────────────────────┤
+    │ master# kubeadm init                                     │
+    └──────────────────────────────────────────────────────────┘
+
+    ┌──────────────────────────────────────────────────────────┐
+    │ On the second machine:                                   │
+    ├──────────────────────────────────────────────────────────┤
+    │ node# kubeadm join <arguments-returned-from-init>        │
+    └──────────────────────────────────────────────────────────┘
+
+    You can then repeat the second step on as many other machines as you like.
+
+
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha.md
new file mode 100644
index 0000000000000..7ea8c6060ced9
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha.md
@@ -0,0 +1,8 @@
+
+Experimental sub-commands not yet fully functional.
+
+### Synopsis
+
+
+Experimental sub-commands not yet fully functional.
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase.md
new file mode 100644
index 0000000000000..ff9c916e19757
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase.md
@@ -0,0 +1,8 @@
+
+Invoke subsets of kubeadm functions separately for a manual install.
+
+### Synopsis
+
+
+This command is not meant to be run on its own. See list of available subcommands.
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon.md
new file mode 100644
index 0000000000000..ebd4a961d85dd
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon.md
@@ -0,0 +1,8 @@
+
+Installs required addons for passing Conformance tests
+
+### Synopsis
+
+
+This command is not meant to be run on its own. See list of available subcommands.
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_all.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_all.md
new file mode 100644
index 0000000000000..edd1b76971670
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_all.md
@@ -0,0 +1,45 @@
+
+Installs all addons to a Kubernetes cluster
+
+### Synopsis
+
+
+Installs the kube-dns and the kube-proxys addons components via the API server.
+Please note that although the DNS server is deployed, it will not be scheduled until CNI is installed. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase addon all
+```
+
+### Examples
+
+```
+  # Installs the kube-dns and the kube-proxys addons components via the API server,
+  # functionally equivalent to what installed by kubeadm init.
+  
+  kubeadm alpha phase selfhosting from-staticpods
+```
+
+### Options
+
+```
+      --apiserver-advertise-address string   The IP address or DNS name the API server is accessible on
+      --apiserver-bind-port int32            The port the API server is accessible on (default 6443)
+      --config string                        Path to a kubeadm config file. WARNING: Usage of a configuration file is experimental!
+      --feature-gates string                 A set of key=value pairs that describe feature gates for various features.Options are:
+CoreDNS=true|false (ALPHA - default=false)
+DynamicKubeletConfig=true|false (ALPHA - default=false)
+HighAvailability=true|false (ALPHA - default=false)
+SelfHosting=true|false (BETA - default=false)
+StoreCertsInSecrets=true|false (ALPHA - default=false)
+SupportIPVSProxyMode=true|false (ALPHA - default=false)
+      --image-repository string              Choose a container registry to pull control plane images from (default "gcr.io/google_containers")
+      --kubeconfig string                    The KubeConfig file to use when talking to the cluster (default "/etc/kubernetes/admin.conf")
+      --kubernetes-version string            Choose a specific Kubernetes version for the control plane (default "stable-1.8")
+      --pod-network-cidr string              The range of IP addresses used for the Pod network
+      --service-cidr string                  The range of IP address used for service VIPs (default "10.96.0.0/12")
+      --service-dns-domain string            Alternative domain for services (default "cluster.local")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-dns.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-dns.md
new file mode 100644
index 0000000000000..414f2a1b7ca17
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-dns.md
@@ -0,0 +1,33 @@
+
+Installs the kube-dns addon to a Kubernetes cluster
+
+### Synopsis
+
+
+Installs the kube-dns addon components via the API server.
+Please note that although the DNS server is deployed, it will not be scheduled until CNI is installed. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase addon kube-dns
+```
+
+### Options
+
+```
+      --config string               Path to a kubeadm config file. WARNING: Usage of a configuration file is experimental!
+      --feature-gates string        A set of key=value pairs that describe feature gates for various features.Options are:
+CoreDNS=true|false (ALPHA - default=false)
+DynamicKubeletConfig=true|false (ALPHA - default=false)
+HighAvailability=true|false (ALPHA - default=false)
+SelfHosting=true|false (BETA - default=false)
+StoreCertsInSecrets=true|false (ALPHA - default=false)
+SupportIPVSProxyMode=true|false (ALPHA - default=false)
+      --image-repository string     Choose a container registry to pull control plane images from (default "gcr.io/google_containers")
+      --kubeconfig string           The KubeConfig file to use when talking to the cluster (default "/etc/kubernetes/admin.conf")
+      --kubernetes-version string   Choose a specific Kubernetes version for the control plane (default "stable-1.8")
+      --service-cidr string         The range of IP address used for service VIPs (default "10.96.0.0/12")
+      --service-dns-domain string   Alternative domain for services (default "cluster.local")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-proxy.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-proxy.md
new file mode 100644
index 0000000000000..d1bca6ebff1ff
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-proxy.md
@@ -0,0 +1,26 @@
+
+Installs the kube-proxy addon to a Kubernetes cluster
+
+### Synopsis
+
+
+Installs the kube-proxy addon components via the API server. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase addon kube-proxy
+```
+
+### Options
+
+```
+      --apiserver-advertise-address string   The IP address or DNS name the API server is accessible on
+      --apiserver-bind-port int32            The port the API server is accessible on (default 6443)
+      --config string                        Path to a kubeadm config file. WARNING: Usage of a configuration file is experimental!
+      --image-repository string              Choose a container registry to pull control plane images from (default "gcr.io/google_containers")
+      --kubeconfig string                    The KubeConfig file to use when talking to the cluster (default "/etc/kubernetes/admin.conf")
+      --kubernetes-version string            Choose a specific Kubernetes version for the control plane (default "stable-1.8")
+      --pod-network-cidr string              The range of IP addresses used for the Pod network
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token.md
new file mode 100644
index 0000000000000..82c8ababf6064
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token.md
@@ -0,0 +1,14 @@
+
+Manage kubeadm-specific bootstrap token functions
+
+### Synopsis
+
+
+This command is not meant to be run on its own. See list of available subcommands.
+
+### Options
+
+```
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_all.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_all.md
new file mode 100644
index 0000000000000..ecede358f923d
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_all.md
@@ -0,0 +1,43 @@
+
+Makes all the bootstrap token configurations and creates an initial token
+
+### Synopsis
+
+
+Bootstrap tokens are used for establishing bidirectional trust between a node joining the cluster and a the master node. 
+
+This command makes all the configurations required to make bootstrap tokens works and then creates an initial token. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase bootstrap-token all
+```
+
+### Examples
+
+```
+  # Makes all the bootstrap token configurations and creates an initial token, functionally
+  # equivalent to what generated by kubeadm init.
+  kubeadm alpha phase bootstrap-token all
+```
+
+### Options
+
+```
+      --cert-dir string      The path where certificates are stored (default "/etc/kubernetes/pki")
+      --config string        Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+      --description string   A human friendly description of how this token is used. (default "The default bootstrap token generated by 'kubeadm init'.")
+      --groups stringSlice   Extra groups that this token will authenticate as when used for authentication. Must match "system:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]" (default [system:bootstrappers:kubeadm:default-node-token])
+      --skip-token-print     Skip printing of the bootstrap token
+      --token string         The token to use for establishing bidirectional trust between nodes and masters
+      --ttl duration         The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire (default 24h0m0s)
+      --usages stringSlice   Describes the ways in which this token can be used. You can pass --usages multiple times or provide a comma separated list of options. Valid options: [signing,authentication] (default [signing,authentication])
+```
+
+### Options inherited from parent commands
+
+```
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_cluster-info.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_cluster-info.md
new file mode 100644
index 0000000000000..3b37d321e50a3
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_cluster-info.md
@@ -0,0 +1,22 @@
+
+Uploads the cluster-info ConfigMap from the given kubeconfig file
+
+### Synopsis
+
+
+Uploads the "cluster-info" ConfigMap in the "kube-public" namespace, populating it with cluster information extracted from the given kubeconfig file. The ConfigMap is used for the node bootstrap process in its initial phases, before the client trusts the API server. 
+
+See online documentation about Authenticating with Bootstrap Tokens for more details. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase bootstrap-token cluster-info
+```
+
+### Options inherited from parent commands
+
+```
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_create.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_create.md
new file mode 100644
index 0000000000000..944f22ddde5ae
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_create.md
@@ -0,0 +1,35 @@
+
+Creates a bootstrap token to be used for node joining
+
+### Synopsis
+
+
+Creates a bootstrap token. If no token value is given, kubeadm will generate a random token instead. 
+
+Alternatively, you can use kubeadm token. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase bootstrap-token create
+```
+
+### Options
+
+```
+      --cert-dir string      The path where certificates are stored (default "/etc/kubernetes/pki")
+      --config string        Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+      --description string   A human friendly description of how this token is used. (default "The default bootstrap token generated by 'kubeadm init'.")
+      --groups stringSlice   Extra groups that this token will authenticate as when used for authentication. Must match "system:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]" (default [system:bootstrappers:kubeadm:default-node-token])
+      --skip-token-print     Skip printing of the bootstrap token
+      --token string         The token to use for establishing bidirectional trust between nodes and masters
+      --ttl duration         The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire (default 24h0m0s)
+      --usages stringSlice   Describes the ways in which this token can be used. You can pass --usages multiple times or provide a comma separated list of options. Valid options: [signing,authentication] (default [signing,authentication])
+```
+
+### Options inherited from parent commands
+
+```
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node.md
new file mode 100644
index 0000000000000..ada2555931db0
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node.md
@@ -0,0 +1,14 @@
+
+Configures the node bootstrap process
+
+### Synopsis
+
+
+This command is not meant to be run on its own. See list of available subcommands.
+
+### Options inherited from parent commands
+
+```
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-auto-approve.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-auto-approve.md
new file mode 100644
index 0000000000000..aa276e76a5665
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-auto-approve.md
@@ -0,0 +1,22 @@
+
+Configures RBAC rules to allow the csrapprover controller automatically approve CSRs from a node bootstrap token
+
+### Synopsis
+
+
+Configures RBAC rules to allow the csrapprover controller to automatically approve certificate signing requests generated by nodes joining the cluster. It configures also RBAC rules for certificates rotation (with auto approval of new certificates). 
+
+See online documentation about TLS bootstrapping for more details. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase bootstrap-token node allow-auto-approve
+```
+
+### Options inherited from parent commands
+
+```
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-post-csrs.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-post-csrs.md
new file mode 100644
index 0000000000000..92ff5de3f92b0
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-post-csrs.md
@@ -0,0 +1,22 @@
+
+Configures RBAC to allow node bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
+
+### Synopsis
+
+
+Configures RBAC rules to allow node bootstrap tokens to post a certificate signing request, thus enabling nodes joining the cluster to request long term certificate credentials. 
+
+See online documentation about TLS bootstrapping for more details. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase bootstrap-token node allow-post-csrs
+```
+
+### Options inherited from parent commands
+
+```
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs.md
new file mode 100644
index 0000000000000..d7799cb4b8e19
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs.md
@@ -0,0 +1,8 @@
+
+Generates certificates for a Kubernetes cluster
+
+### Synopsis
+
+
+This command is not meant to be run on its own. See list of available subcommands.
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_all.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_all.md
new file mode 100644
index 0000000000000..7dc2e2d44d7a4
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_all.md
@@ -0,0 +1,39 @@
+
+Generates all PKI assets necessary to establish the control plane
+
+### Synopsis
+
+
+Generates a self-signed CA to provision identities for each component in the cluster (including nodes) and client certificates to be used by various components. 
+
+If a given certificate and private key pair both exist, kubeadm skips the generation step and
+existing files will be used. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase certs all
+```
+
+### Examples
+
+```
+  # Creates all PKI assets necessary to establish the control plane,
+  # functionally equivalent to what generated by kubeadm init.
+  kubeadm alpha phase certs all
+  
+  # Creates all PKI assets using options read from a configuration file.
+  kubeadm alpha phase certs all --config masterconfiguration.yaml
+```
+
+### Options
+
+```
+      --apiserver-advertise-address string      The IP address the API server is accessible on, to use for the API server serving cert
+      --apiserver-cert-extra-sans stringSlice   Optional extra altnames to use for the API server serving cert. Can be both IP addresses and dns names
+      --cert-dir string                         The path where to save the certificates (default "/etc/kubernetes/pki")
+      --config string                           Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+      --service-cidr string                     Alternative range of IP address for service VIPs, from which derives the internal API server VIP that will be added to the API Server serving cert (default "10.96.0.0/12")
+      --service-dns-domain string               Alternative domain for services, to use for the API server serving cert (default "cluster.local")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver-kubelet-client.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver-kubelet-client.md
new file mode 100644
index 0000000000000..4f2e44c18731a
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver-kubelet-client.md
@@ -0,0 +1,23 @@
+
+Generates client certificate for the API server to connect to the kubelets securely
+
+### Synopsis
+
+
+Generates the client certificate for the API server to connect to the kubelet securely and the respective key, and saves them into apiserver-kubelet-client.crt and apiserver-kubelet-client.key files. 
+
+If both files already exist, kubeadm skips the generation step and existing files will be used. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase certs apiserver-kubelet-client
+```
+
+### Options
+
+```
+      --cert-dir string   The path where to save the certificates (default "/etc/kubernetes/pki")
+      --config string     Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver.md
new file mode 100644
index 0000000000000..0907c23cd7ccb
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver.md
@@ -0,0 +1,29 @@
+
+Generates API server serving certificate and key
+
+### Synopsis
+
+
+Generates the API server serving certificate and key and saves them into apiserver.crt and apiserver.key files. 
+
+The certificate includes default subject alternative names and additional sans eventually provided by the user; default sans are: {node-name}, {apiserver-advertise-address}, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc. {service-dns-domain}, {internalAPIServerVirtualIP}(that is the .10 address in {service-cidr} address space). 
+
+If both files already exist, kubeadm skips the generation step and existing files will be used. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase certs apiserver
+```
+
+### Options
+
+```
+      --apiserver-advertise-address string      The IP address the API server is accessible on, to use for the API server serving cert
+      --apiserver-cert-extra-sans stringSlice   Optional extra altnames to use for the API server serving cert. Can be both IP addresses and dns names
+      --cert-dir string                         The path where to save the certificates (default "/etc/kubernetes/pki")
+      --config string                           Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+      --service-cidr string                     Alternative range of IP address for service VIPs, from which derives the internal API server VIP that will be added to the API Server serving cert (default "10.96.0.0/12")
+      --service-dns-domain string               Alternative domain for services, to use for the API server serving cert (default "cluster.local")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_ca.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_ca.md
new file mode 100644
index 0000000000000..4409f7aff77d4
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_ca.md
@@ -0,0 +1,23 @@
+
+Generates self-signed CA to provision identities for each component in the cluster
+
+### Synopsis
+
+
+Generates the self-signed certificate authority and related key, and saves them into ca.crt and ca.key files. 
+
+If both files already exist, kubeadm skips the generation step and existing files will be used. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase certs ca
+```
+
+### Options
+
+```
+      --cert-dir string   The path where to save the certificates (default "/etc/kubernetes/pki")
+      --config string     Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-ca.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-ca.md
new file mode 100644
index 0000000000000..8e2f1c92c3609
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-ca.md
@@ -0,0 +1,23 @@
+
+Generates front proxy CA certificate and key for a Kubernetes cluster
+
+### Synopsis
+
+
+Generates the front proxy CA certificate and key and saves them into front-proxy-ca.crt and front-proxy-ca.key files. 
+
+If both files already exist, kubeadm skips the generation step and existing files will be used. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase certs front-proxy-ca
+```
+
+### Options
+
+```
+      --cert-dir string   The path where to save the certificates (default "/etc/kubernetes/pki")
+      --config string     Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-client.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-client.md
new file mode 100644
index 0000000000000..ab24606835a42
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-client.md
@@ -0,0 +1,23 @@
+
+Generates front proxy CA client certificate and key for a Kubernetes cluster
+
+### Synopsis
+
+
+Generates the front proxy client certificate and key and saves them into front-proxy-client.crt and front-proxy-client.key files. 
+
+If both files already exist, kubeadm skips the generation step and existing files will be used. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase certs front-proxy-client
+```
+
+### Options
+
+```
+      --cert-dir string   The path where to save the certificates (default "/etc/kubernetes/pki")
+      --config string     Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_sa.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_sa.md
new file mode 100644
index 0000000000000..f756ec98e3cb6
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_sa.md
@@ -0,0 +1,23 @@
+
+Generates a private key for signing service account tokens along with its public key
+
+### Synopsis
+
+
+Generates the private key for signing service account tokens along with its public key, and saves them into sa.key and sa.pub files. 
+
+If both files already exist, kubeadm skips the generation step and existing files will be used. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase certs sa
+```
+
+### Options
+
+```
+      --cert-dir string   The path where to save the certificates (default "/etc/kubernetes/pki")
+      --config string     Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane.md
new file mode 100644
index 0000000000000..2b0a831ce107a
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane.md
@@ -0,0 +1,8 @@
+
+Generates all static Pod manifest files necessary to establish the control plane
+
+### Synopsis
+
+
+This command is not meant to be run on its own. See list of available subcommands.
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_all.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_all.md
new file mode 100644
index 0000000000000..ee3590ed263b5
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_all.md
@@ -0,0 +1,44 @@
+
+Generates all static Pod manifest files necessary to establish the control plane
+
+### Synopsis
+
+
+Generates all static Pod manifest files necessary to establish the control plane. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase controlplane all
+```
+
+### Examples
+
+```
+  # Generates all static Pod manifest files for control plane components,
+  # functionally equivalent to what generated by kubeadm init.
+  kubeadm alpha phase controlplane all
+  
+  # Generates all static Pod manifest files using options read from a configuration file.
+  kubeadm alpha phase controlplane --config masterconfiguration.yaml
+```
+
+### Options
+
+```
+      --apiserver-advertise-address string   The IP address or DNS name the API server is accessible on
+      --apiserver-bind-port int32            The port the API server is accessible on (default 6443)
+      --cert-dir string                      The path where certificates are stored (default "/etc/kubernetes/pki")
+      --config string                        Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+      --feature-gates string                 A set of key=value pairs that describe feature gates for various features. Options are:
+CoreDNS=true|false (ALPHA - default=false)
+DynamicKubeletConfig=true|false (ALPHA - default=false)
+HighAvailability=true|false (ALPHA - default=false)
+SelfHosting=true|false (BETA - default=false)
+StoreCertsInSecrets=true|false (ALPHA - default=false)
+SupportIPVSProxyMode=true|false (ALPHA - default=false)
+      --kubernetes-version string            Choose a specific Kubernetes version for the control plane (default "stable-1.8")
+      --pod-network-cidr string              The range of IP addresses used for the Pod network
+      --service-cidr string                  The range of IP address used for service VIPs (default "10.96.0.0/12")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_apiserver.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_apiserver.md
new file mode 100644
index 0000000000000..a9057ebddb09b
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_apiserver.md
@@ -0,0 +1,32 @@
+
+Generates the API server static Pod manifest.
+
+### Synopsis
+
+
+Generates the static Pod manifest file for the API server and saves it into /etc/kubernetes/manifests/kube-apiserver.yaml file. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase controlplane apiserver
+```
+
+### Options
+
+```
+      --apiserver-advertise-address string   The IP address or DNS name the API server is accessible on
+      --apiserver-bind-port int32            The port the API server is accessible on (default 6443)
+      --cert-dir string                      The path where certificates are stored (default "/etc/kubernetes/pki")
+      --config string                        Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+      --feature-gates string                 A set of key=value pairs that describe feature gates for various features. Options are:
+CoreDNS=true|false (ALPHA - default=false)
+DynamicKubeletConfig=true|false (ALPHA - default=false)
+HighAvailability=true|false (ALPHA - default=false)
+SelfHosting=true|false (BETA - default=false)
+StoreCertsInSecrets=true|false (ALPHA - default=false)
+SupportIPVSProxyMode=true|false (ALPHA - default=false)
+      --kubernetes-version string            Choose a specific Kubernetes version for the control plane (default "stable-1.8")
+      --service-cidr string                  The range of IP address used for service VIPs (default "10.96.0.0/12")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_controller-manager.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_controller-manager.md
new file mode 100644
index 0000000000000..8684272d12083
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_controller-manager.md
@@ -0,0 +1,23 @@
+
+Generates the controller-manager static Pod manifest.
+
+### Synopsis
+
+
+Generates the static Pod manifest file for the controller-manager and saves it into /etc/kubernetes/manifests/kube-controller-manager.yaml file. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase controlplane controller-manager
+```
+
+### Options
+
+```
+      --cert-dir string             The path where certificates are stored (default "/etc/kubernetes/pki")
+      --config string               Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+      --kubernetes-version string   Choose a specific Kubernetes version for the control plane (default "stable-1.8")
+      --pod-network-cidr string     The range of IP addresses used for the Pod network
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_scheduler.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_scheduler.md
new file mode 100644
index 0000000000000..a8aa9627ec740
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_scheduler.md
@@ -0,0 +1,22 @@
+
+Generates the scheduler static Pod manifest.
+
+### Synopsis
+
+
+Generates the static Pod manifest file for the scheduler and saves it into /etc/kubernetes/manifests/kube-scheduler.yaml file. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase controlplane scheduler
+```
+
+### Options
+
+```
+      --cert-dir string             The path where certificates are stored (default "/etc/kubernetes/pki")
+      --config string               Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+      --kubernetes-version string   Choose a specific Kubernetes version for the control plane (default "stable-1.8")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd.md
new file mode 100644
index 0000000000000..a0379819c886c
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd.md
@@ -0,0 +1,8 @@
+
+Generates static Pod manifest file for etcd.
+
+### Synopsis
+
+
+This command is not meant to be run on its own. See list of available subcommands.
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd_local.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd_local.md
new file mode 100644
index 0000000000000..355eab7d22328
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd_local.md
@@ -0,0 +1,32 @@
+
+Generates the static Pod manifest file for a local, single-node etcd instance
+
+### Synopsis
+
+
+Generates the static Pod manifest file for a local, single-node etcd instance and saves it to /etc/kubernetes/manifests/etcd.yaml file. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase etcd local
+```
+
+### Examples
+
+```
+  # Generates the static Pod manifest file for etcd, functionally
+  # equivalent to what generated by kubeadm init.
+  kubeadm alpha phase etcd local
+  
+  #  Generates the static Pod manifest file for etcd.
+  kubeadm alpha phase etcd local --config masterconfiguration.yaml
+```
+
+### Options
+
+```
+      --cert-dir string   The path where certificates are stored (default "/etc/kubernetes/pki")
+      --config string     Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig.md
new file mode 100644
index 0000000000000..d68c9061c4cee
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig.md
@@ -0,0 +1,8 @@
+
+Generates all kubeconfig files necessary to establish the control plane and the admin kubeconfig file
+
+### Synopsis
+
+
+This command is not meant to be run on its own. See list of available subcommands.
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_admin.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_admin.md
new file mode 100644
index 0000000000000..dd91a097cacb4
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_admin.md
@@ -0,0 +1,24 @@
+
+Generates a kubeconfig file for the admin to use and for kubeadm itself
+
+### Synopsis
+
+
+Generates the kubeconfig file for the admin and for kubeadm itself, and saves it to admin.conf file. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase kubeconfig admin
+```
+
+### Options
+
+```
+      --apiserver-advertise-address string   The IP address the API server is accessible on
+      --apiserver-bind-port int32            The port the API server is accessible on (default 6443)
+      --cert-dir string                      The path where certificates are stored (default "/etc/kubernetes/pki")
+      --config string                        Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+      --kubeconfig-dir string                The port where to save the kubeconfig file (default "/etc/kubernetes")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_all.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_all.md
new file mode 100644
index 0000000000000..166d2c8e419bc
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_all.md
@@ -0,0 +1,36 @@
+
+Generates all kubeconfig files necessary to establish the control plane and the admin kubeconfig file
+
+### Synopsis
+
+
+Generates all kubeconfig files necessary to establish the control plane and the admin kubeconfig file. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase kubeconfig all
+```
+
+### Examples
+
+```
+  # Generates all kubeconfig files, functionally equivalent to what generated
+  # by kubeadm init.
+  kubeadm alpha phase kubeconfig all
+  
+  # Generates all kubeconfig files using options read from a configuration file.
+  kubeadm alpha phase kubeconfig all --config masterconfiguration.yaml
+```
+
+### Options
+
+```
+      --apiserver-advertise-address string   The IP address the API server is accessible on
+      --apiserver-bind-port int32            The port the API server is accessible on (default 6443)
+      --cert-dir string                      The path where certificates are stored (default "/etc/kubernetes/pki")
+      --config string                        Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+      --kubeconfig-dir string                The port where to save the kubeconfig file (default "/etc/kubernetes")
+      --node-name string                     The node name that should be used for the kubelet client certificate
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_controller-manager.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_controller-manager.md
new file mode 100644
index 0000000000000..0765413658410
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_controller-manager.md
@@ -0,0 +1,24 @@
+
+Generates a kubeconfig file for the controller manager to use
+
+### Synopsis
+
+
+Generates the kubeconfig file for the controller manager to use and saves it to /etc/kubernetes/controller-manager.conf file. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase kubeconfig controller-manager
+```
+
+### Options
+
+```
+      --apiserver-advertise-address string   The IP address the API server is accessible on
+      --apiserver-bind-port int32            The port the API server is accessible on (default 6443)
+      --cert-dir string                      The path where certificates are stored (default "/etc/kubernetes/pki")
+      --config string                        Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+      --kubeconfig-dir string                The port where to save the kubeconfig file (default "/etc/kubernetes")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_kubelet.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_kubelet.md
new file mode 100644
index 0000000000000..67bb710573db4
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_kubelet.md
@@ -0,0 +1,27 @@
+
+Generates a kubeconfig file for the kubelet to use. Please note that this should be used *only* for bootstrapping purposes.
+
+### Synopsis
+
+
+Generates the kubeconfig file for the kubelet to use and saves it to /etc/kubernetes/kubelet.conf file. 
+
+Please note that this should only be used for bootstrapping purposes. After your control plane is up, you should request all kubelet credentials from the CSR API. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase kubeconfig kubelet
+```
+
+### Options
+
+```
+      --apiserver-advertise-address string   The IP address the API server is accessible on
+      --apiserver-bind-port int32            The port the API server is accessible on (default 6443)
+      --cert-dir string                      The path where certificates are stored (default "/etc/kubernetes/pki")
+      --config string                        Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+      --kubeconfig-dir string                The port where to save the kubeconfig file (default "/etc/kubernetes")
+      --node-name string                     The node name that should be used for the kubelet client certificate
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_scheduler.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_scheduler.md
new file mode 100644
index 0000000000000..d50259631d31a
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_scheduler.md
@@ -0,0 +1,24 @@
+
+Generates a kubeconfig file for the scheduler to use
+
+### Synopsis
+
+
+Generates the kubeconfig file for the scheduler to use and saves it to /etc/kubernetes/scheduler.conf file. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase kubeconfig scheduler
+```
+
+### Options
+
+```
+      --apiserver-advertise-address string   The IP address the API server is accessible on
+      --apiserver-bind-port int32            The port the API server is accessible on (default 6443)
+      --cert-dir string                      The path where certificates are stored (default "/etc/kubernetes/pki")
+      --config string                        Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+      --kubeconfig-dir string                The port where to save the kubeconfig file (default "/etc/kubernetes")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_user.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_user.md
new file mode 100644
index 0000000000000..5fc2c0c35db20
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_user.md
@@ -0,0 +1,32 @@
+
+Outputs a kubeconfig file for an additional user
+
+### Synopsis
+
+
+Outputs a kubeconfig file for an additional user. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase kubeconfig user
+```
+
+### Examples
+
+```
+  # Outputs a kubeconfig file for an additional user named foo
+  kubeadm alpha phase kubeconfig user --client-name=foo
+```
+
+### Options
+
+```
+      --apiserver-advertise-address string   The IP address the API server is accessible on
+      --apiserver-bind-port int32            The port the API server is accessible on (default 6443)
+      --cert-dir string                      The path where certificates are stored (default "/etc/kubernetes/pki")
+      --client-name string                   The name of user. It will be used as the CN if client certificates are created
+      --kubeconfig-dir string                The port where to save the kubeconfig file (default "/etc/kubernetes")
+      --token string                         The token that should be used as the authentication mechanism for this kubeconfig (instead of client certificates)
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_mark-master.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_mark-master.md
new file mode 100644
index 0000000000000..292620cdc821c
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_mark-master.md
@@ -0,0 +1,32 @@
+
+Mark a node as master
+
+### Synopsis
+
+
+Applies a label that specifies that a node is a master and a taint that forces workloads to be deployed accordingly. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase mark-master
+```
+
+### Examples
+
+```
+  # Applies master label and taint to the current node, functionally equivalent to what executed by kubeadm init.
+  kubeadm alpha phase mark-master
+  
+  # Applies master label and taint to a specific node
+  kubeadm alpha phase mark-master --node-name myNode
+```
+
+### Options
+
+```
+      --config string       Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster (default "/etc/kubernetes/admin.conf")
+      --node-name string    The node name to which label and taints should apply
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight.md
new file mode 100644
index 0000000000000..afb22cee7be92
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight.md
@@ -0,0 +1,8 @@
+
+Run pre-flight checks
+
+### Synopsis
+
+
+This command is not meant to be run on its own. See list of available subcommands.
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_master.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_master.md
new file mode 100644
index 0000000000000..ea683e1a64c8f
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_master.md
@@ -0,0 +1,21 @@
+
+Run master pre-flight checks
+
+### Synopsis
+
+
+Run master pre-flight checks, functionally equivalent to what implemented by kubeadm init. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase preflight master
+```
+
+### Examples
+
+```
+  # Run master pre-flight checks.
+  kubeadm alpha phase preflight master
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_node.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_node.md
new file mode 100644
index 0000000000000..3d6a40977878f
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_node.md
@@ -0,0 +1,21 @@
+
+Run node pre-flight checks
+
+### Synopsis
+
+
+Run node pre-flight checks, functionally equivalent to what implemented by kubeadm join. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase preflight node
+```
+
+### Examples
+
+```
+  # Run node pre-flight checks.
+  kubeadm alpha phase preflight node
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting.md
new file mode 100644
index 0000000000000..a21886203c9aa
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting.md
@@ -0,0 +1,8 @@
+
+Makes a kubeadm cluster self-hosted
+
+### Synopsis
+
+
+This command is not meant to be run on its own. See list of available subcommands.
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting_convert-from-staticpods.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting_convert-from-staticpods.md
new file mode 100644
index 0000000000000..c5f2c9bec6609
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting_convert-from-staticpods.md
@@ -0,0 +1,41 @@
+
+Converts a static Pod-hosted control plane into a self-hosted one
+
+### Synopsis
+
+
+Converts static Pod files for control plane components into self-hosted DaemonSets configured via the Kubernetes API. 
+
+See the documentation for self-hosting limitations. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase selfhosting convert-from-staticpods
+```
+
+### Examples
+
+```
+  # Converts a static Pod-hosted control plane into a self-hosted one,
+  # functionally equivalent to what generated by kubeadm init executed
+  # with --feature-gates=SelfHosting=true.
+  
+  kubeadm alpha phase selfhosting convert-from-staticpods
+```
+
+### Options
+
+```
+      --cert-dir string        The path where certificates are stored (default "/etc/kubernetes/pki")
+      --config string          Path to a kubeadm config file. WARNING: Usage of a configuration file is experimental!
+      --feature-gates string   A set of key=value pairs that describe feature gates for various features. Options are:
+CoreDNS=true|false (ALPHA - default=false)
+DynamicKubeletConfig=true|false (ALPHA - default=false)
+HighAvailability=true|false (ALPHA - default=false)
+SelfHosting=true|false (BETA - default=false)
+StoreCertsInSecrets=true|false (ALPHA - default=false)
+SupportIPVSProxyMode=true|false (ALPHA - default=false)
+      --kubeconfig string      The KubeConfig file to use when talking to the cluster (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_upload-config.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_upload-config.md
new file mode 100644
index 0000000000000..fda590df06eeb
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_upload-config.md
@@ -0,0 +1,30 @@
+
+Uploads the currently used configuration for kubeadm to a ConfigMap
+
+### Synopsis
+
+
+Uploads the kubeadm init configuration of your cluster to a ConfigMap called kubeadm-config in the kube-system namespace. This enables correct configuration of system components and a seamless user experience when upgrading. 
+
+Alternatively, you can use kubeadm config. 
+
+Alpha Disclaimer: this command is currently alpha.
+
+```
+kubeadm alpha phase upload-config
+```
+
+### Examples
+
+```
+  # uploads the configuration of your cluster
+  kubeadm alpha phase upload-config --config=myConfig.yaml
+```
+
+### Options
+
+```
+      --config string       Path to a kubeadm config file. WARNING: Usage of a configuration file is experimental!
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_completion.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_completion.md
new file mode 100644
index 0000000000000..fdc98aeff77a4
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_completion.md
@@ -0,0 +1,49 @@
+
+Output shell completion code for the specified shell (bash or zsh).
+
+### Synopsis
+
+
+
+Output shell completion code for the specified shell (bash or zsh).
+The shell code must be evalutated to provide interactive
+completion of kubeadm commands. This can be done by sourcing it from
+the .bash_profile.
+
+Note: this requires the bash-completion framework, which is not installed
+by default on Mac. This can be installed by using homebrew:
+
+    $ brew install bash-completion
+
+Once installed, bash_completion must be evaluated. This can be done by adding the
+following line to the .bash_profile
+
+    $ source $(brew --prefix)/etc/bash_completion
+
+Note for zsh users: [1] zsh completions are only supported in versions of zsh >= 5.2
+
+```
+kubeadm completion SHELL
+```
+
+### Examples
+
+```
+
+# Install bash completion on a Mac using homebrew
+brew install bash-completion
+printf "\n# Bash completion support\nsource $(brew --prefix)/etc/bash_completion\n" >> $HOME/.bash_profile
+source $HOME/.bash_profile
+
+# Load the kubeadm completion code for bash into the current shell
+source <(kubeadm completion bash)
+
+# Write bash completion code to a file and source if from .bash_profile
+kubeadm completion bash > ~/.kube/kubeadm_completion.bash.inc
+printf "\n# Kubeadm shell completion\nsource '$HOME/.kube/kubeadm_completion.bash.inc'\n" >> $HOME/.bash_profile
+source $HOME/.bash_profile
+
+# Load the kubeadm completion code for zsh[1] into the current shell
+source <(kubeadm completion zsh)
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_config.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_config.md
new file mode 100644
index 0000000000000..56a7cf14dca23
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_config.md
@@ -0,0 +1,23 @@
+
+Manage configuration for a kubeadm cluster persisted in a ConfigMap in the cluster.
+
+### Synopsis
+
+
+
+There is a ConfigMap in the kube-system namespace called "kubeadm-config" that kubeadm uses to store internal configuration about the
+cluster. kubeadm CLI v1.8.0+ automatically creates this ConfigMap with the config used with 'kubeadm init', but if you
+initialized your cluster using kubeadm v1.7.x or lower, you must use the 'config upload' command to create this
+ConfigMap. This is required so that 'kubeadm upgrade' can configure your upgraded cluster correctly.
+
+
+```
+kubeadm config
+```
+
+### Options
+
+```
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster. (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload.md
new file mode 100644
index 0000000000000..661d0889bd67b
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload.md
@@ -0,0 +1,18 @@
+
+Upload configuration about the current state, so that 'kubeadm upgrade' can later know how to configure the upgraded cluster.
+
+### Synopsis
+
+
+Upload configuration about the current state, so that 'kubeadm upgrade' can later know how to configure the upgraded cluster.
+
+```
+kubeadm config upload
+```
+
+### Options inherited from parent commands
+
+```
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster. (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-file.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-file.md
new file mode 100644
index 0000000000000..39d9d69c74ab6
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-file.md
@@ -0,0 +1,30 @@
+
+Upload a configuration file to the in-cluster ConfigMap for kubeadm configuration.
+
+### Synopsis
+
+
+
+Using this command, you can upload configuration to the ConfigMap in the cluster using the same config file you gave to 'kubeadm init'.
+If you initialized your cluster using a v1.7.x or lower kubeadm client and used the --config option, you need to run this command with the
+same config file before upgrading to v1.8 using 'kubeadm upgrade'.
+
+The configuration is located in the "kube-system" namespace in the "kubeadm-config" ConfigMap.
+
+
+```
+kubeadm config upload from-file
+```
+
+### Options
+
+```
+      --config string   Path to a kubeadm config file. WARNING: Usage of a configuration file is experimental.
+```
+
+### Options inherited from parent commands
+
+```
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster. (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-flags.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-flags.md
new file mode 100644
index 0000000000000..f8c702d956f22
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-flags.md
@@ -0,0 +1,47 @@
+
+Create the in-cluster configuration file for the first time from using flags.
+
+### Synopsis
+
+
+
+Using this command, you can upload configuration to the ConfigMap in the cluster using the same flags you gave to 'kubeadm init'.
+If you initialized your cluster using a v1.7.x or lower kubeadm client and set certain flags, you need to run this command with the
+same flags before upgrading to v1.8 using 'kubeadm upgrade'.
+
+The configuration is located in the "kube-system" namespace in the "kubeadm-config" ConfigMap.
+
+
+```
+kubeadm config upload from-flags
+```
+
+### Options
+
+```
+      --apiserver-advertise-address string      The IP address the API Server will advertise it's listening on. Specify '0.0.0.0' to use the address of the default network interface.
+      --apiserver-bind-port int32               Port for the API Server to bind to. (default 6443)
+      --apiserver-cert-extra-sans stringSlice   Optional extra Subject Alternative Names (SANs) to use for the API Server serving certificate. Can be both IP addresses and DNS names.
+      --cert-dir string                         The path where to save and store the certificates. (default "/etc/kubernetes/pki")
+      --feature-gates string                    A set of key=value pairs that describe feature gates for various features. Options are:
+CoreDNS=true|false (ALPHA - default=false)
+DynamicKubeletConfig=true|false (ALPHA - default=false)
+HighAvailability=true|false (ALPHA - default=false)
+SelfHosting=true|false (BETA - default=false)
+StoreCertsInSecrets=true|false (ALPHA - default=false)
+SupportIPVSProxyMode=true|false (ALPHA - default=false)
+      --kubernetes-version string               Choose a specific Kubernetes version for the control plane. (default "stable-1.8")
+      --node-name string                        Specify the node name.
+      --pod-network-cidr string                 Specify range of IP addresses for the pod network. If set, the control plane will automatically allocate CIDRs for every node.
+      --service-cidr string                     Use alternative range of IP address for service VIPs. (default "10.96.0.0/12")
+      --service-dns-domain string               Use alternative domain for services, e.g. "myorg.internal". (default "cluster.local")
+      --token string                            The token to use for establishing bidirectional trust between nodes and masters.
+      --token-ttl duration                      The duration before the bootstrap token is automatically deleted. If set to '0', the token will never expire. (default 24h0m0s)
+```
+
+### Options inherited from parent commands
+
+```
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster. (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_view.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_view.md
new file mode 100644
index 0000000000000..786a343cf49e3
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_view.md
@@ -0,0 +1,22 @@
+
+View the kubeadm configuration stored inside the cluster.
+
+### Synopsis
+
+
+
+Using this command, you can view the ConfigMap in the cluster where the configuration for kubeadm is located.
+
+The configuration is located in the "kube-system" namespace in the "kubeadm-config" ConfigMap.
+
+
+```
+kubeadm config view
+```
+
+### Options inherited from parent commands
+
+```
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster. (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md
new file mode 100644
index 0000000000000..4c3a865c685ec
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md
@@ -0,0 +1,40 @@
+
+Run this command in order to set up the Kubernetes master.
+
+### Synopsis
+
+
+Run this command in order to set up the Kubernetes master.
+
+```
+kubeadm init
+```
+
+### Options
+
+```
+      --apiserver-advertise-address string      The IP address the API Server will advertise it's listening on. Specify '0.0.0.0' to use the address of the default network interface.
+      --apiserver-bind-port int32               Port for the API Server to bind to. (default 6443)
+      --apiserver-cert-extra-sans stringSlice   Optional extra Subject Alternative Names (SANs) to use for the API Server serving certificate. Can be both IP addresses and DNS names.
+      --cert-dir string                         The path where to save and store the certificates. (default "/etc/kubernetes/pki")
+      --config string                           Path to kubeadm config file. WARNING: Usage of a configuration file is experimental.
+      --cri-socket string                       Specify the CRI socket to connect to. (default "/var/run/dockershim.sock")
+      --dry-run                                 Don't apply any changes; just output what would be done.
+      --feature-gates string                    A set of key=value pairs that describe feature gates for various features. Options are:
+CoreDNS=true|false (ALPHA - default=false)
+DynamicKubeletConfig=true|false (ALPHA - default=false)
+HighAvailability=true|false (ALPHA - default=false)
+SelfHosting=true|false (BETA - default=false)
+StoreCertsInSecrets=true|false (ALPHA - default=false)
+SupportIPVSProxyMode=true|false (ALPHA - default=false)
+      --ignore-checks-errors stringSlice        A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
+      --kubernetes-version string               Choose a specific Kubernetes version for the control plane. (default "stable-1.8")
+      --node-name string                        Specify the node name.
+      --pod-network-cidr string                 Specify range of IP addresses for the pod network. If set, the control plane will automatically allocate CIDRs for every node.
+      --service-cidr string                     Use alternative range of IP address for service VIPs. (default "10.96.0.0/12")
+      --service-dns-domain string               Use alternative domain for services, e.g. "myorg.internal". (default "cluster.local")
+      --skip-token-print                        Skip printing of the default bootstrap token generated by 'kubeadm init'.
+      --token string                            The token to use for establishing bidirectional trust between nodes and masters.
+      --token-ttl duration                      The duration before the bootstrap token is automatically deleted. If set to '0', the token will never expire. (default 24h0m0s)
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_join.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_join.md
new file mode 100644
index 0000000000000..fe2c5c142f191
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_join.md
@@ -0,0 +1,75 @@
+
+Run this on any machine you wish to join an existing cluster
+
+### Synopsis
+
+
+
+When joining a kubeadm initialized cluster, we need to establish
+bidirectional trust. This is split into discovery (having the Node
+trust the Kubernetes Master) and TLS bootstrap (having the Kubernetes
+Master trust the Node).
+
+There are 2 main schemes for discovery. The first is to use a shared
+token along with the IP address of the API server. The second is to
+provide a file - a subset of the standard kubeconfig file. This file
+can be a local file or downloaded via an HTTPS URL. The forms are
+kubeadm join --discovery-token abcdef.1234567890abcdef 1.2.3.4:6443,
+kubeadm join --discovery-file path/to/file.conf, or kubeadm join
+--discovery-file https://url/file.conf. Only one form can be used. If
+the discovery information is loaded from a URL, HTTPS must be used.
+Also, in that case the host installed CA bundle is used to verify
+the connection.
+
+If you use a shared token for discovery, you should also pass the
+--discovery-token-ca-cert-hash flag to validate the public key of the
+root certificate authority (CA) presented by the Kubernetes Master. The
+value of this flag is specified as "<hash-type>:<hex-encoded-value>",
+where the supported hash type is "sha256". The hash is calculated over
+the bytes of the Subject Public Key Info (SPKI) object (as in RFC7469).
+This value is available in the output of "kubeadm init" or can be
+calcuated using standard tools. The --discovery-token-ca-cert-hash flag
+may be repeated multiple times to allow more than one public key.
+
+If you cannot know the CA public key hash ahead of time, you can pass
+the --discovery-token-unsafe-skip-ca-verification flag to disable this
+verification. This weakens the kubeadm security model since other nodes
+can potentially impersonate the Kubernetes Master.
+
+The TLS bootstrap mechanism is also driven via a shared token. This is
+used to temporarily authenticate with the Kubernetes Master to submit a
+certificate signing request (CSR) for a locally created key pair. By
+default, kubeadm will set up the Kubernetes Master to automatically
+approve these signing requests. This token is passed in with the
+--tls-bootstrap-token abcdef.1234567890abcdef flag.
+
+Often times the same token is used for both parts. In this case, the
+--token flag can be used instead of specifying each token individually.
+
+
+```
+kubeadm join [flags]
+```
+
+### Options
+
+```
+      --config string                                 Path to kubeadm config file.
+      --cri-socket string                             Specify the CRI socket to connect to. (default "/var/run/dockershim.sock")
+      --discovery-file string                         A file or url from which to load cluster information.
+      --discovery-token string                        A token used to validate cluster information fetched from the master.
+      --discovery-token-ca-cert-hash stringSlice      For token-based discovery, validate that the root CA public key matches this hash (format: "<type>:<value>").
+      --discovery-token-unsafe-skip-ca-verification   For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.
+      --feature-gates string                          A set of key=value pairs that describe feature gates for various features. Options are:
+CoreDNS=true|false (ALPHA - default=false)
+DynamicKubeletConfig=true|false (ALPHA - default=false)
+HighAvailability=true|false (ALPHA - default=false)
+SelfHosting=true|false (BETA - default=false)
+StoreCertsInSecrets=true|false (ALPHA - default=false)
+SupportIPVSProxyMode=true|false (ALPHA - default=false)
+      --ignore-checks-errors stringSlice              A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
+      --node-name string                              Specify the node name.
+      --tls-bootstrap-token string                    A token used for TLS bootstrapping.
+      --token string                                  Use this token for both discovery-token and tls-bootstrap-token.
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md
new file mode 100644
index 0000000000000..260d210fd87c9
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md
@@ -0,0 +1,20 @@
+
+Run this to revert any changes made to this host by 'kubeadm init' or 'kubeadm join'.
+
+### Synopsis
+
+
+Run this to revert any changes made to this host by 'kubeadm init' or 'kubeadm join'.
+
+```
+kubeadm reset
+```
+
+### Options
+
+```
+      --cert-dir string                    The path to the directory where the certificates are stored. If specified, clean this directory. (default "/etc/kubernetes/pki")
+      --cri-socket string                  The path to the CRI socket to use with crictl when cleaning up containers. (default "/var/run/dockershim.sock")
+      --ignore-checks-errors stringSlice   A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md
new file mode 100644
index 0000000000000..47bcfafbf6759
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md
@@ -0,0 +1,36 @@
+
+Manage bootstrap tokens.
+
+### Synopsis
+
+
+
+This command manages bootstrap tokens. It is optional and needed only for advanced use cases.
+
+In short, bootstrap tokens are used for establishing bidirectional trust between a client and a server.
+A bootstrap token can be used when a client (for example a node that is about to join the cluster) needs
+to trust the server it is talking to. Then a bootstrap token with the "signing" usage can be used.
+bootstrap tokens can also function as a way to allow short-lived authentication to the API Server
+(the token serves as a way for the API Server to trust the client), for example for doing the TLS Bootstrap.
+
+What is a bootstrap token more exactly?
+ - It is a Secret in the kube-system namespace of type "bootstrap.kubernetes.io/token".
+ - A bootstrap token must be of the form "[a-z0-9]{6}.[a-z0-9]{16}". The former part is the public token ID,
+   while the latter is the Token Secret and it must be kept private at all circumstances!
+ - The name of the Secret must be named "bootstrap-token-(token-id)".
+
+You can read more about bootstrap tokens here:
+  https://kubernetes.io/docs/admin/bootstrap-tokens/
+
+
+```
+kubeadm token
+```
+
+### Options
+
+```
+      --dry-run             Whether to enable dry-run mode or not
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md
new file mode 100644
index 0000000000000..5198ef5251727
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md
@@ -0,0 +1,36 @@
+
+Create bootstrap tokens on the server.
+
+### Synopsis
+
+
+
+This command will create a bootstrap token for you.
+You can specify the usages for this token, the "time to live" and an optional human friendly description.
+
+The [token] is the actual token to write.
+This should be a securely generated random token of the form "[a-z0-9]{6}.[a-z0-9]{16}".
+If no [token] is given, kubeadm will generate a random token instead.
+
+
+```
+kubeadm token create [token]
+```
+
+### Options
+
+```
+      --description string   A human friendly description of how this token is used.
+      --groups stringSlice   Extra groups that this token will authenticate as when used for authentication. Must match "system:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]". (default [system:bootstrappers:kubeadm:default-node-token])
+      --print-join-command   Instead of printing only the token, print the full 'kubeadm join' flag needed to join the cluster using the token.
+      --ttl duration         The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire. (default 24h0m0s)
+      --usages stringSlice   Describes the ways in which this token can be used. You can pass --usages multiple times or provide a comma separated list of options. Valid options: [signing,authentication]. (default [signing,authentication])
+```
+
+### Options inherited from parent commands
+
+```
+      --dry-run             Whether to enable dry-run mode or not
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md
new file mode 100644
index 0000000000000..ce8e80f6a7c20
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md
@@ -0,0 +1,24 @@
+
+Delete bootstrap tokens on the server.
+
+### Synopsis
+
+
+
+This command will delete a given bootstrap token for you.
+
+The [token-value] is the full Token of the form "[a-z0-9]{6}.[a-z0-9]{16}" or the
+Token ID of the form "[a-z0-9]{6}" to delete.
+
+
+```
+kubeadm token delete [token-value]
+```
+
+### Options inherited from parent commands
+
+```
+      --dry-run             Whether to enable dry-run mode or not
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_generate.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_generate.md
new file mode 100644
index 0000000000000..2782c8dcf3ba3
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_generate.md
@@ -0,0 +1,29 @@
+
+Generate and print a bootstrap token, but do not create it on the server.
+
+### Synopsis
+
+
+
+This command will print out a randomly-generated bootstrap token that can be used with
+the "init" and "join" commands.
+
+You don't have to use this command in order to generate a token. You can do so
+yourself as long as it is in the format "[a-z0-9]{6}.[a-z0-9]{16}". This
+command is provided for convenience to generate tokens in the given format.
+
+You can also use "kubeadm init" without specifying a token and it will
+generate and print one for you.
+
+
+```
+kubeadm token generate
+```
+
+### Options inherited from parent commands
+
+```
+      --dry-run             Whether to enable dry-run mode or not
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_list.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_list.md
new file mode 100644
index 0000000000000..978ad448ca927
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_token_list.md
@@ -0,0 +1,21 @@
+
+List bootstrap tokens on the server.
+
+### Synopsis
+
+
+
+This command will list all bootstrap tokens for you.
+
+
+```
+kubeadm token list
+```
+
+### Options inherited from parent commands
+
+```
+      --dry-run             Whether to enable dry-run mode or not
+      --kubeconfig string   The KubeConfig file to use when talking to the cluster (default "/etc/kubernetes/admin.conf")
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade.md
new file mode 100644
index 0000000000000..a5d4b046d0ad8
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade.md
@@ -0,0 +1,30 @@
+
+Upgrade your cluster smoothly to a newer version with this command.
+
+### Synopsis
+
+
+Upgrade your cluster smoothly to a newer version with this command.
+
+```
+kubeadm upgrade
+```
+
+### Options
+
+```
+      --allow-experimental-upgrades        Show unstable versions of Kubernetes as an upgrade alternative and allow upgrading to an alpha/beta/release candidate versions of Kubernetes.
+      --allow-release-candidate-upgrades   Show release candidate versions of Kubernetes as an upgrade alternative and allow upgrading to a release candidate versions of Kubernetes.
+      --config string                      Path to kubeadm config file. WARNING: Usage of a configuration file is experimental!
+      --feature-gates string               A set of key=value pairs that describe feature gates for various features.Options are:
+CoreDNS=true|false (ALPHA - default=false)
+DynamicKubeletConfig=true|false (ALPHA - default=false)
+HighAvailability=true|false (ALPHA - default=false)
+SelfHosting=true|false (BETA - default=false)
+StoreCertsInSecrets=true|false (ALPHA - default=false)
+SupportIPVSProxyMode=true|false (ALPHA - default=false)
+      --ignore-checks-errors stringSlice   A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
+      --kubeconfig string                  The KubeConfig file to use when talking to the cluster. (default "/etc/kubernetes/admin.conf")
+      --print-config                       Specifies whether the configuration file that will be used in the upgrade should be printed or not.
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_apply.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_apply.md
new file mode 100644
index 0000000000000..cf5b0ef5fd646
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_apply.md
@@ -0,0 +1,40 @@
+
+Upgrade your Kubernetes cluster to the specified version.
+
+### Synopsis
+
+
+Upgrade your Kubernetes cluster to the specified version.
+
+```
+kubeadm upgrade apply [version]
+```
+
+### Options
+
+```
+      --dry-run                       Do not change any state, just output what actions would be performed.
+      --etcd-upgrade                  Perform the upgrade of etcd.
+  -f, --force                         Force upgrading although some requirements might not be met. This also implies non-interactive mode.
+      --image-pull-timeout duration   The maximum amount of time to wait for the control plane pods to be downloaded. (default 15m0s)
+  -y, --yes                           Perform the upgrade and do not prompt for confirmation (non-interactive mode).
+```
+
+### Options inherited from parent commands
+
+```
+      --allow-experimental-upgrades        Show unstable versions of Kubernetes as an upgrade alternative and allow upgrading to an alpha/beta/release candidate versions of Kubernetes.
+      --allow-release-candidate-upgrades   Show release candidate versions of Kubernetes as an upgrade alternative and allow upgrading to a release candidate versions of Kubernetes.
+      --config string                      Path to kubeadm config file. WARNING: Usage of a configuration file is experimental!
+      --feature-gates string               A set of key=value pairs that describe feature gates for various features.Options are:
+CoreDNS=true|false (ALPHA - default=false)
+DynamicKubeletConfig=true|false (ALPHA - default=false)
+HighAvailability=true|false (ALPHA - default=false)
+SelfHosting=true|false (BETA - default=false)
+StoreCertsInSecrets=true|false (ALPHA - default=false)
+SupportIPVSProxyMode=true|false (ALPHA - default=false)
+      --ignore-checks-errors stringSlice   A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
+      --kubeconfig string                  The KubeConfig file to use when talking to the cluster. (default "/etc/kubernetes/admin.conf")
+      --print-config                       Specifies whether the configuration file that will be used in the upgrade should be printed or not.
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md
new file mode 100644
index 0000000000000..85241cab41644
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md
@@ -0,0 +1,30 @@
+
+Check which versions are available to upgrade to and validate whether your current cluster is upgradeable.
+
+### Synopsis
+
+
+Check which versions are available to upgrade to and validate whether your current cluster is upgradeable.
+
+```
+kubeadm upgrade plan
+```
+
+### Options inherited from parent commands
+
+```
+      --allow-experimental-upgrades        Show unstable versions of Kubernetes as an upgrade alternative and allow upgrading to an alpha/beta/release candidate versions of Kubernetes.
+      --allow-release-candidate-upgrades   Show release candidate versions of Kubernetes as an upgrade alternative and allow upgrading to a release candidate versions of Kubernetes.
+      --config string                      Path to kubeadm config file. WARNING: Usage of a configuration file is experimental!
+      --feature-gates string               A set of key=value pairs that describe feature gates for various features.Options are:
+CoreDNS=true|false (ALPHA - default=false)
+DynamicKubeletConfig=true|false (ALPHA - default=false)
+HighAvailability=true|false (ALPHA - default=false)
+SelfHosting=true|false (BETA - default=false)
+StoreCertsInSecrets=true|false (ALPHA - default=false)
+SupportIPVSProxyMode=true|false (ALPHA - default=false)
+      --ignore-checks-errors stringSlice   A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
+      --kubeconfig string                  The KubeConfig file to use when talking to the cluster. (default "/etc/kubernetes/admin.conf")
+      --print-config                       Specifies whether the configuration file that will be used in the upgrade should be printed or not.
+```
+
diff --git a/docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md b/docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md
new file mode 100644
index 0000000000000..fc46f021c0b19
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md
@@ -0,0 +1,18 @@
+
+Print the version of kubeadm
+
+### Synopsis
+
+
+Print the version of kubeadm
+
+```
+kubeadm version
+```
+
+### Options
+
+```
+  -o, --output string   Output format; available options are 'yaml', 'json' and 'short'
+```
+
diff --git a/skip_title_check.txt b/skip_title_check.txt
index da138f8790766..d7b56acdda3f6 100644
--- a/skip_title_check.txt
+++ b/skip_title_check.txt
@@ -7,3 +7,65 @@ docs/user-guide/pods/_viewing-a-pod.md
 docs/user-guide/simple-yaml.md
 docs/user-guide/update-demo/images/kitten/README.md
 docs/user-guide/update-demo/images/nautilus/README.md
+docs/reference/setup-tools/kubeadm/generated/README.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_all.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-dns.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-proxy.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_all.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_cluster-info.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_create.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-auto-approve.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-post-csrs.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_all.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver-kubelet-client.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_ca.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-ca.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-client.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_sa.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_all.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_apiserver.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_controller-manager.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_scheduler.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd_local.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_admin.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_all.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_controller-manager.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_kubelet.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_scheduler.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_user.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_mark-master.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_master.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_node.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting_convert-from-staticpods.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_upload-config.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_completion.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_config.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-file.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-flags.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_config_view.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_join.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_token_generate.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_token_list.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_apply.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md
\ No newline at end of file
diff --git a/skip_toc_check.txt b/skip_toc_check.txt
index a0b6ed8bb0f0a..6ed6f639e48ea 100644
--- a/skip_toc_check.txt
+++ b/skip_toc_check.txt
@@ -1,6 +1,6 @@
 # Put files you want to skip table of contents entry check here:
-docs/admin/kubelet-authentication-authorization.md
-docs/admin/kubelet-tls-bootstrapping.md
+docs/reference/setup-tools/kubeadm/generated/kubelet-authentication-authorization.md
+docs/reference/setup-tools/kubeadm/generated/kubelet-tls-bootstrapping.md
 docs/api-reference/labels-annotations-taints.md
 docs/concepts/example-concept-template.md
 docs/contribute/README.md
@@ -19,3 +19,65 @@ docs/user-guide/update-demo/images/kitten/README.md
 docs/user-guide/update-demo/images/nautilus/README.md
 docs/user-guide/walkthrough/index.md
 docs/user-guide/walkthrough/k8s201.md
+docs/reference/setup-tools/kubeadm/generated/README.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_all.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-dns.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_addon_kube-proxy.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_all.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_cluster-info.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_create.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-auto-approve.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_bootstrap-token_node_allow-post-csrs.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_all.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver-kubelet-client.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_apiserver.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_ca.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-ca.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_front-proxy-client.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_certs_sa.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_all.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_apiserver.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_controller-manager.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_controlplane_scheduler.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_etcd_local.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_admin.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_all.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_controller-manager.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_kubelet.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_scheduler.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_kubeconfig_user.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_mark-master.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_master.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_preflight_node.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_selfhosting_convert-from-staticpods.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_phase_upload-config.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_completion.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_config.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-file.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_config_upload_from-flags.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_config_view.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_join.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_reset.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_token.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_token_create.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_token_delete.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_token_generate.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_token_list.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_apply.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_upgrade_plan.md
+docs/reference/setup-tools/kubeadm/generated/kubeadm_version.md

From 6b76bdbbfa24c7feb5184d4218393d55abf2b0ec Mon Sep 17 00:00:00 2001
From: fabriziopandini <fabrizio.pandini@gmail.com>
Date: Fri, 24 Nov 2017 14:41:23 +0100
Subject: [PATCH 2/2] user-mantained kubeadm reference doc

---
 _data/reference.yml                           |   12 +-
 docs/reference/generated/kubeadm.md           | 1040 -----------------
 .../setup-tools/kubeadm/kubeadm-alpha.md      |  261 +++++
 .../setup-tools/kubeadm/kubeadm-config.md     |   31 +
 .../setup-tools/kubeadm/kubeadm-init.md       |  417 +++++++
 .../setup-tools/kubeadm/kubeadm-join.md       |  227 ++++
 .../setup-tools/kubeadm/kubeadm-reset.md      |   31 +
 .../setup-tools/kubeadm/kubeadm-token.md      |   34 +
 .../setup-tools/kubeadm/kubeadm-upgrade.md    |   24 +
 .../setup-tools/kubeadm/kubeadm-version.md    |   15 +
 docs/reference/setup-tools/kubeadm/kubeadm.md |   21 +
 11 files changed, 1072 insertions(+), 1041 deletions(-)
 delete mode 100644 docs/reference/generated/kubeadm.md
 create mode 100755 docs/reference/setup-tools/kubeadm/kubeadm-alpha.md
 create mode 100644 docs/reference/setup-tools/kubeadm/kubeadm-config.md
 create mode 100755 docs/reference/setup-tools/kubeadm/kubeadm-init.md
 create mode 100755 docs/reference/setup-tools/kubeadm/kubeadm-join.md
 create mode 100644 docs/reference/setup-tools/kubeadm/kubeadm-reset.md
 create mode 100644 docs/reference/setup-tools/kubeadm/kubeadm-token.md
 create mode 100755 docs/reference/setup-tools/kubeadm/kubeadm-upgrade.md
 create mode 100644 docs/reference/setup-tools/kubeadm/kubeadm-version.md
 create mode 100644 docs/reference/setup-tools/kubeadm/kubeadm.md

diff --git a/_data/reference.yml b/_data/reference.yml
index 5c9ba3d2c1d65..318061ac2289d 100644
--- a/_data/reference.yml
+++ b/_data/reference.yml
@@ -70,7 +70,17 @@ toc:
 
 - title: Setup Tools
   section:
-  - docs/reference/generated/kubeadm.md
+  - title: Kubeadm
+    section:
+    - docs/reference/setup-tools/kubeadm/kubeadm.md
+    - docs/reference/setup-tools/kubeadm/kubeadm-init.md
+    - docs/reference/setup-tools/kubeadm/kubeadm-join.md
+    - docs/reference/setup-tools/kubeadm/kubeadm-upgrade.md
+    - docs/reference/setup-tools/kubeadm/kubeadm-config.md
+    - docs/reference/setup-tools/kubeadm/kubeadm-reset.md
+    - docs/reference/setup-tools/kubeadm/kubeadm-token.md
+    - docs/reference/setup-tools/kubeadm/kubeadm-version.md
+    - docs/reference/setup-tools/kubeadm/kubeadm-alpha.md
   - title: Kubefed
     section:
     - docs/reference/generated/kubefed.md
diff --git a/docs/reference/generated/kubeadm.md b/docs/reference/generated/kubeadm.md
deleted file mode 100644
index 525df75f5b15d..0000000000000
--- a/docs/reference/generated/kubeadm.md
+++ /dev/null
@@ -1,1040 +0,0 @@
----
-approvers:
-- mikedanese
-- luxas
-- errordeveloper
-- jbeda
-title: Kubeadm
-notitle: true
----
-# kubeadm Setup Tool Reference Guide
-
-This document provides information on how to use kubeadm's advanced options.
-
-* TOC
-{:toc}
-
-Running `kubeadm init` bootstraps a Kubernetes master node. This consists of the
-following steps:
-
-1. kubeadm runs a series of pre-flight checks to validate the system state
-   before making changes. Some checks only trigger warnings, others are
-   considered errors and will exit kubeadm until the problem is corrected or the
-   user specifies `--skip-preflight-checks`.
-
-1. kubeadm generates a token that additional nodes can use to register
-   themselves with the master in future.  Optionally, the user can provide a
-   token via `--token`, as described in the
-   [section on managing tokens](#manage-tokens) below.
-
-1. kubeadm generates a self-signed CA to provision identities for each component
-   (including nodes) in the cluster.  It also generates client certificates to
-   be used by various components.  If the user has provided their own CA by
-   dropping it in the cert directory configured via `--cert-dir`
-   (`/etc/kubernetes/pki` by default) this step is skipped as described in the
-   [section on using custom certificates](#custom-certificates).
-
-1. kubeadm writes kubeconfig files in `/etc/kubernetes/`  for
-   the kubelet, the controller-manager and the scheduler to use to connect to the
-   API server, each one with their respective identities, as well as an additional
-   kubeconfig file for administration.
-
-1. kubeadm generates static Pod manifests for the API server,
-   controller manager and scheduler; in case an external etcd is not provided,
-   an additional static Pod manifest will be generated for etcd.
-
-   Static Pod manifests are written in `/etc/kubernetes/manifests`; the kubelet
-   watches this directory for Pods to create on startup, as described in
-   the [section about kubelet drop-in](#kubelet-drop-in).
-
-   Once control plane Pods are up and running kubeadm init sequence can continue.
-
-1. kubeadm "labels" and "taints" the master node so that only control plane
-   components will run there.
-
-1. kubeadm makes all the necessary configurations for allowing node joining with the
-   [Bootstrap Tokens](https://kubernetes.io/docs/admin/bootstrap-tokens/) and
-   [TLS Bootstrap](https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/)
-   mechanism:
-
-   - Write a ConfigMap for making available all the information required
-     for joining and set up related RBAC access rules.
-
-   - Ensure access to the CSR signing API for bootstrap tokens.
-
-   - Configure auto approval for new CSR requests.
-
-   See [Securing your installation](#securing-more) for hardening.
-
-1. kubeadm installs add-on components via the API server.  Right now this is
-   the internal DNS server and the kube-proxy DaemonSet.
-
-1. If `kubeadm init` is invoked with the alpha self-hosting feature enabled,
-   (`--feature-gates=SelfHosting=true`), the static Pod based control plane will
-   be transformed into a [self-hosted control plane](#self-hosting).
-
-Running `kubeadm join` on each node in the cluster consists of the following
-steps:
-
-1. kubeadm downloads necessary cluster information from the API server.
-   By default, it uses the bootstrap token and the CA key hash to verify the
-   authenticity of that data. The root CA can also be discovered directly via a
-   file or URL.
-
-1. Once the cluster information are known, kubelet can start the TLS bootstrapping
-   process (in v.1.7 this step was managed by kubeadm).
-
-   The TLS bootstrap uses the shared token to temporarily authenticate
-   with the Kubernetes Master to submit a certificate signing request (CSR); by
-   default the control plane will sign this CSR request automatically.
-
-1. Finally, kubeadm will configure the local kubelet to connect to the API
-   server with the definitive identity assigned to the node.
-
-## Usage
-
-Fields that support multiple values do so either with comma separation, or by
-specifying the flag multiple times.
-
-The kubeadm command line interface is currently in **beta**.  We are aiming to
-not break any scripted use of the main `kubeadm init` and `kubeadm join`.
-Exceptions to this are documented below.
-
-### `kubeadm init`
-
-It is usually sufficient to run `kubeadm init` without any flags, but in some
-cases you might like to override the default behaviour. Here we specify all the
-flags that can be used to customise the Kubernetes installation.
-
-**Options for `kubeadm init`:**
-
-- `--apiserver-advertise-address`
-
-  This is the address the API Server will advertise to other members of the
-  cluster.  This is also the address used to construct the suggested `kubeadm
-  join` line at the end of the init process.  If not set (or set to 0.0.0.0) then
-  IP for the default interface will be used.
-
-  This address is also added to the certificate that the API Server uses.
-
-- `--apiserver-bind-port`
-
-  The port that the API server will bind on.  This defaults to 6443.
-
-- `--apiserver-cert-extra-sans`
-
-  Additional hostnames or IP addresses that should be added to the Subject
-  Alternate Name section for the certificate that the API Server will use.  If you
-  expose the API Server through a load balancer and public DNS you could specify
-  this with
-
-  ```
-  --apiserver-cert-extra-sans=kubernetes.example.com,kube.example.com,10.100.245.1
-  ```
-
-- `--cert-dir`
-
-  The path where to save and store the certificates.  The default is
-  "/etc/kubernetes/pki".
-
-- `--config`
-
-  A kubeadm specific [config file](#config-file).  This can be used to specify an
-  extended set of options including passing arbitrary command line flags to the
-  control plane components.
-
-  **Note**: Since 1.8, other flags are not allowed alongside `--config` except
-  for flags used to define kubeadm behaviour (not configuration) such as
-  `--skip-preflight-checks`.
-
-- `--dry-run`
-
-   This flag tells kubeadm to don't apply any changes; just output what would be done.
-
-- `--feature-gates`
-
-  A set of key=value pairs that describe feature gates for alpha/experimental
-  features. Options are:
-
-    - SelfHosting=true\|false (ALPHA - default=false)
-
-    - StoreCertsInSecrets=true\|false (ALPHA - default=false)
-
-  See [self-hosted control plane](#self-hosting) for more detail.
-
-- `--kubernetes-version` (default 'latest') the kubernetes version to initialise
-
-  The **v1.6** version of kubeadm only supports building clusters that are at
-  least **v1.6.0**.  There are many reasons for this including kubeadm's use of
-  RBAC, the Bootstrap Token system, and enhancements to the Certificates API. With
-  this flag you can try any future version of Kubernetes.  Check [releases
-  page](https://github.com/kubernetes/kubernetes/releases) for a full list of
-  available versions.
-
-- `--node-name`
-
-  Allow to specify the node name, if something different than O.S. hostname should be used e.g. in case of Amazon EC2 instances.
-
-  The node-name is also added to the certificate that the API Server uses.
-
-- `--pod-network-cidr`
-
-  For certain networking solutions the Kubernetes master can also play a role in
-  allocating network ranges (CIDRs) to each node. This includes many cloud
-  providers and flannel. You can specify a subnet range that will be broken down
-  and handed out to each node with the `--pod-network-cidr` flag. This should be a
-  minimum of a /16 so controller-manager is able to assign /24 subnets to each
-  node in the cluster. If you are using flannel with [this
-  manifest](https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel.yml)
-  you should use `--pod-network-cidr=10.244.0.0/16`. Most CNI based networking
-  solutions do not require this flag.
-
-- `--service-cidr` (default '10.96.0.0/12')
-
-  You can use the `--service-cidr` flag to override the subnet Kubernetes uses to
-  assign services IP addresses. If you do, you will also need to update the
-  `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` file to reflect this
-  change else DNS will not function correctly.
-
-- `--service-dns-domain` (default 'cluster.local')
-
-  By default, `kubeadm init` deploys a cluster that assigns services with DNS
-  names `<service_name>.<namespace>.svc.cluster.local`. You can use the
-  `--service-dns-domain` to change the DNS name suffix. Again, you will need to
-  update the `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` file
-  accordingly else DNS will not function correctly.
-
-  **Note**: This flag has an effect (it's needed for the kube-dns Deployment
-  manifest and the API Server's serving certificate) but not as you might expect,
-  since you will have to modify the arguments to the kubelets in the cluster for
-  it to work fully. Specifying DNS parameters using this flag only is not enough.
-  Rewriting the kubelet's CLI arguments is out of scope for kubeadm as it should
-  be agnostic to how you run the kubelet. However, making all kubelets in the
-  cluster pick up information dynamically via the API _is_ in scope and is a
-  [planned feature](https://github.com/kubernetes/kubeadm/issues/28) for upcoming
-  releases.
-
-- `--skip-preflight-checks`
-
-  By default, kubeadm runs a series of preflight checks to validate the system
-  before making any changes. Advanced users can use this flag to bypass these if
-  necessary.
-
-- `--skip-token-print`
-
-  By default, kubeadm prints the token at the end of the init procedure. Advanced
-  users can use this flag to bypass these if necessary.
-
-- `--token`
-
-  By default, `kubeadm init` automatically generates the token used to initialise
-  each new node. If you would like to manually specify this token, you can use the
-  `--token` flag. The token must be of the format `[a-z0-9]{6}\.[a-z0-9]{16}`.  A
-  compatible random token can be generated `kubeadm token generate`.  Tokens can
-  be managed through the API after the cluster is created.  See the [section on
-  managing tokens](#manage-tokens) below.
-
-- `--token-ttl`
-
-  This sets an expiration time for the token.  This is specified as a duration
-  from the current time.  After this time the token will no longer be valid and
-  will be removed. A value of 0 specifies that the token never expires.  The
-  default is 24 hours.  See the [section on managing tokens](#manage-tokens) below.
-
-### `kubeadm join`
-
-When joining a kubeadm initialized cluster, we need to establish bidirectional
-trust. This is split into discovery (having the Node trust the Kubernetes
-master) and TLS bootstrap (having the Kubernetes master trust the Node).
-
-There are two main schemes for discovery:
-
- - **Using a shared token** along with the IP address of the API server and a
-   hash of the root CA key:
-
-   `kubeadm join --discovery-token abcdef.1234567890abcdef --discovery-token-ca-cert-hash sha256:1234..cdef 1.2.3.4:6443`
-
- - **Using a file** (a subset of the standard kubeconfig file). This file can
-   be a local file or downloaded via an HTTPS URL:
-
-   `kubeadm join --discovery-file path/to/file.conf`
-
-   `kubeadm join --discovery-file https://url/file.conf`
-
-Only one form can be used. If the discovery information is loaded from a URL,
-HTTPS must be used and the host installed CA bundle is used to verify the
-connection. For details on the security tradeoffs of these mechanisms, see the
-[security model](#security-model) section below.
-
-The TLS bootstrap mechanism is also driven via a shared token. This is used to
-temporarily authenticate with the Kubernetes master to submit a certificate
-signing request (CSR) for a locally created key pair. By default kubeadm will
-set up the Kubernetes master to automatically approve these signing requests.
-This token is passed in with the `--tls-bootstrap-token abcdef.1234567890abcdef`
-flag.
-
-Often times the same token is used for both parts. In this case, the `--token` flag
-can be used instead of specifying the each token individually.
-
-Here's an example on how to use it:
-
-`kubeadm join --token=abcdef.1234567890abcdef --discovery-token-ca-cert-hash sha256:1234..cdef 192.168.1.1:6443`
-
-**Options for `kubeadm join`:**
-
-- `--config`
-
-  Extended options are specified in the [kubeadm specific config file](#config-file).
-
-- `--discovery-file`
-
-  A local file path or HTTPS URL.  The file specified must be a kubeconfig file
-  with nothing but an unnamed cluster entry.  This is used to find both the
-  location of the API server to join along with a root CA bundle to use when
-  talking to that server.
-
-  This might look something like this:
-
-  ``` yaml
-  apiVersion: v1
-  clusters:
-  - cluster:
-      certificate-authority-data: <really long certificate data>
-      server: https://10.138.0.2:6443
-    name: ""
-  contexts: []
-  current-context: ""
-  kind: Config
-  preferences: {}
-  users: []
-  ```
-
-- `--discovery-token`
-
-  The discovery token is used along with the address of the API server (as an
-  unnamed argument) to download and verify information about the cluster.  The
-  most critical part of the cluster information is the root CA bundle used to
-  verify the identity of the server during subsequent TLS connections.
-
-- `--discovery-token-ca-cert-hash`
-
-  The CA key hash is used to verify the full root CA certificate discovered during
-  token-based bootstrapping. It has the format `sha256:<hex_encoded_hash>`. By
-  default, the hash value is returned in the `kubeadm join` command printed at the
-  end of `kubeadm init` or in the output of `kubeadm token create --print-join-command`.
-  It is in a standard format (see [RFC7469](https://tools.ietf.org/html/rfc7469#section-2.4))
-  and can also be calculated by 3rd party tools or provisioning systems. For
-  example, using the OpenSSL CLI:
-  `openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'`
-
-  _Skipping this flag is allowed in Kubernetes 1.8, but makes certain spoofing
-  attacks possible._ See the [security model](#security-model) for details.
-  Pass `--discovery-token-unsafe-skip-ca-verification` to silence warnings (which
-  will become errors in Kubernetes 1.9).
-
-- `--discovery-token-unsafe-skip-ca-verification`
-
-  Disable the warning/error that occurs when `--discovery-token-ca-cert-hash` is
-  not provided. Passing this flag is an acknowledgement of the
-  [security tradeoffs](#security-model) involved in skipping this verification
-  (which may or may not be appropriate in your environment).
-
-- `--node-name`
-
-  Specify the Node name. The default is to use the OS hostname. This is useful
-  on some cloud providers such as AWS. This name is also added to the node's
-  TLS certificate.
-
-- `--tls-bootstrap-token`
-
-  The token used to authenticate to the API server for the purposes of TLS
-  bootstrapping.
-
-- `--token=<token>`
-
-  Often times the same token is used for both `--discovery-token` and
-  `--tls-bootstrap-token`.  This option specifies the same token for both.  Other
-  flags override this flag if present.
-
-- `--skip-preflight-checks`
-
-  By default, kubeadm runs a series of preflight checks to validate the system
-  before making any changes. Advanced users can use this flag to bypass these if
-  necessary.
-
-### `kubeadm completion`
-
-Output shell completion code for the specified shell (bash or zsh).
-
-### `kubeadm config`
-
-Kubeadm v1.8.0+ automatically creates a ConfigMap with all the parameters
-used during `kubeadm init`.
-
-If you initialized your cluster using kubeadm v1.7.x or lower, you must use
-the `kubeadm config upload` command to create this ConfigMap in order
-for `kubeadm upgrade` to be able to configure your upgraded cluster correctly.
-
-### `kubeadm reset`
-
-Reverts any changes made to this host by `kubeadm init` or `kubeadm join`.
-
-### `kubeadm token`
-
-Manage tokens on a running cluster. See [managing tokens](#manage-tokens) below
-for further details.
-
-### `kubeadm alpha phases`
-
-**WARNING:** While kubeadm command line interface is in beta, commands under
-this entry is still considered alpha and may change in future versions.
-
-`kubeadm phase` introduces a set of kubeadm CLI commands allowing to invoke
-individually each phase of the kubeadm init sequence; phases provide a reusable
-and composable API/toolbox for building your own automated cluster installer.
-
-**Options for `kubeadm phases`:**
-
-Each kubeadm phase exposes a subset of relevant options from `kubeadm init`.
-
-## Using kubeadm with a configuration file {#config-file}
-
-**WARNING:** While kubeadm command line interface is in beta, the config file is
-still considered alpha and may change in future versions.
-
-It's possible to configure kubeadm with a configuration file instead of command
-line flags, and some more advanced features may only be available as
-configuration file options.  This file is passed in to the `--config` option on
-both `kubeadm init` and `kubeadm join`.
-
-### Sample Master Configuration
-
-```yaml
-apiVersion: kubeadm.k8s.io/v1alpha1
-kind: MasterConfiguration
-api:
-  advertiseAddress: <address|string>
-  bindPort: <int>
-etcd:
-  endpoints:
-  - <endpoint1|string>
-  - <endpoint2|string>
-  caFile: <path|string>
-  certFile: <path|string>
-  keyFile: <path|string>
-  dataDir: <path|string>
-  extraArgs:
-    <argument>: <value|string>
-    <argument>: <value|string>
-  image: <string>
-networking:
-  dnsDomain: <string>
-  serviceSubnet: <cidr>
-  podSubnet: <cidr>
-kubernetesVersion: <string>
-cloudProvider: <string>
-nodeName: <string>
-authorizationModes:
-- <authorizationMode1|string>
-- <authorizationMode2|string>
-token: <string>
-tokenTTL: <time duration>
-selfHosted: <bool>
-apiServerExtraArgs:
-  <argument>: <value|string>
-  <argument>: <value|string>
-controllerManagerExtraArgs:
-  <argument>: <value|string>
-  <argument>: <value|string>
-schedulerExtraArgs:
-  <argument>: <value|string>
-  <argument>: <value|string>
-apiServerCertSANs:
-- <name1|string>
-- <name2|string>
-certificatesDir: <string>
-imageRepository: <string>
-unifiedControlPlaneImage: <string>
-featureGates:
-  <feature>: <bool>
-  <feature>: <bool>
-```
-In addition, if authorizationMode is set to `ABAC`, you should write the config to `/etc/kubernetes/abac_policy.json`.
-However, if authorizationMode is set to `Webhook`, you should write the config to `/etc/kubernetes/webhook_authz.conf`.
-
-### Sample Node Configuration
-
-```yaml
-apiVersion: kubeadm.k8s.io/v1alpha1
-kind: NodeConfiguration
-caCertPath: <path|string>
-discoveryFile: <path|string>
-discoveryToken: <string>
-discoveryTokenAPIServers:
-- <address|string>
-- <address|string>
-nodeName: <string>
-tlsBootstrapToken: <string>
-token: <string>
-discoveryTokenCACertHashes:
-- <SHA-256 hash|string>
-- <SHA-256 hash|string>
-discoveryTokenUnsafeSkipCAVerification: <bool>
-```
-
-## Securing your installation even more {#securing-more}
-
-The defaults for kubeadm may not work for everyone. This section documents how to tighten up a kubeadm install
-at the cost of some usability.
-
-### Turning off auto-approval of Node Client Certificates
-
-By default, there is a CSR auto-approver enabled that basically approves any client certificate request
-for a kubelet when a Bootstrap Token was used when authenticating. If you don't want the cluster to
-automatically approve kubelet client certs, you can turn it off by executing this command:
-
-```console
-$ kubectl delete clusterrole kubeadm:node-autoapprove-bootstrap
-```
-
-After that, `kubeadm join` will block until the admin has manually approved the CSR in flight:
-
-```console
-$ kubectl get csr
-NAME                                                   AGE       REQUESTOR                 CONDITION
-node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ   18s       system:bootstrap:878f07   Pending
-
-$ kubectl certificate approve node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ
-certificatesigningrequest "node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ" approved
-
-$ kubectl get csr
-NAME                                                   AGE       REQUESTOR                 CONDITION
-node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ   1m        system:bootstrap:878f07   Approved,Issued
-```
-
-Only after `kubectl certificate approve` has been run, `kubeadm join` can proceed.
-
-### Turning off public access to the cluster-info ConfigMap
-
-In order to achieve the joining flow using the token as the only piece of validation information, a
-public ConfigMap with some data needed for validation of the master's identity is exposed publicly by
-default. While there is no private data in this ConfigMap, some users are sensitive and wish to turn
-it off regardless. Doing so will disable the ability to use the `--discovery-token` flag of the
-`kubeadm join` flow. Here are the steps to do so:
-
-Fetch the `cluster-info` file from the API Server:
-
-```console
-$ kubectl -n kube-public get cm cluster-info -o yaml | grep "kubeconfig:" -A11 | grep "apiVersion" -A10 | sed "s/    //" | tee cluster-info.yaml
-apiVersion: v1
-clusters:
-- cluster:
-    certificate-authority-data: <ca-cert>
-    server: https://<ip>:<port>
-  name: ""
-contexts: []
-current-context: ""
-kind: Config
-preferences: {}
-users: []
-```
-
-You can then use the `cluster-info.yaml` file as an argument to `kubeadm join --discovery-file`.
-
-Turning off public access to the `cluster-info` ConfigMap:
-
-```console
-$ kubectl -n kube-public delete rolebinding kubeadm:bootstrap-signer-clusterinfo
-```
-
-These commands should be run after `kubeadm init` but before `kubeadm join`.
-
-## Managing Tokens {#manage-tokens}
-
-You can use the `kubeadm` tool to manage tokens on a running cluster.  It will
-automatically grab the default admin credentials on a master from a `kubeadm`
-created cluster (`/etc/kubernetes/admin.conf`).  You can specify an alternate
-kubeconfig file for credentials with the `--kubeconfig` to the following
-commands.
-
-* `kubeadm token list` - List tokens (along with their expirations, usages, and groups).
-
-* `kubeadm token create` - Create a new token.
-
-    * `--description <description>`
-
-      Set the human-readable description for the new token.
-
-    * `--ttl <duration>`
-
-      Set the expiration time-to-live of the token relative to the current time.
-      Default is 24 hours. A value of 0 means "never expire". The default unit
-      of the duration is seconds but other units can be specified (e.g., `15m`, `1h`).
-
-    * `--usages <usage>[,<usage>...]`
-
-      Set the ways that the token can be used.  The default is
-      `signing,authentication`.  These are the usages as described above.
-
-    * `--groups <group>[,<group>...]`
-
-      Add extra bootstrap groups that the new token will authenticate as. Can be
-      specified multiple times. Each extra group must start with
-      `system:bootstrappers:`. This is an advanced feature meant for custom
-      bootstrap scenarios where you want to change how CSR approval works for
-      different groups of nodes.
-
-* `kubeadm token delete <token id>|<token id>.<token secret>` - Delete a token.
-
-  The token can either be identified with just an ID or with the
-  entire token value.  Only the ID is used; the token is still deleted if the
-  secret does not match.
-
-* `kubeadm token generate` - Generate a token locally.
-
-  Locally generate a token but do not create it on the server. This token is of
-  the correct form for specifying with the `--token` argument to `kubeadm init`.
-
-For the gory details on how the tokens are implemented (including managing them
-outside of kubeadm) see the [Bootstrap Token docs](/docs/admin/bootstrap-tokens/).
-
-## Automating kubeadm
-
-Rather than copying the token you obtained from `kubeadm init` to each node, as
-in the [basic kubeadm tutorial](/docs/admin/kubeadm/), you can parallelize the
-token distribution for easier automation. To implement this automation, you must
-know the IP address that the master will have after it is started.
-
-1.  Generate a token. This token must have the form  `<6 character string>.<16
-    character string>`.  More formally, it must match the regex:
-    `[a-z0-9]{6}\.[a-z0-9]{16}`.
-
-    kubeadm can generate a token for you:
-
-    ```bash
-    kubeadm token generate
-    ```
-
-1. Start both the master node and the worker nodes concurrently with this token.
-   As they come up they should find each other and form the cluster.  The same
-   `--token` argument can be used on both `kubeadm init` and `kubeadm join`.
-
-Once the cluster is up, you can grab the admin credentials from the master node
-at `/etc/kubernetes/admin.conf` and use that to talk to the cluster.
-
-Note that this style of bootstrap has some relaxed security guarantees because
-it does not allow the root CA hash to be validated with
-`--discovery-token-ca-cert-hash` (since it's not generated when the nodes are
-provisioned). For details, see the [security model](#security-model).
-
-## Security model
-The kubeadm discovery system has several options, each with security tradeoffs.
-The right method for your environment depends on how you provision nodes and the
-security expectations you have about your network and node lifecycles.
-
-### Token-based discovery with CA pinning
-_This is the default mode in Kubernetes 1.8._ In this mode, kubeadm downloads
-the cluster configuration (including root CA) and validates it using the token
-as well as validating that the root CA public key matches the provided hash and
-that the API server certificate is valid under the root CA.
-
-**Example `kubeadm join` command:**
-
- - `kubeadm join --discovery-token abcdef.1234567890abcdef --discovery-token-ca-cert-hash sha256:1234..cdef 1.2.3.4:6443`
-
-**Advantages:**
-
- - Allows bootstrapping nodes to securely discover a root of trust for the
-   master even if other worker nodes or the network are compromised.
-
- - Convenient to execute manually since all of the information required fits
-   into a single `kubeadm join` command that is easy to copy and paste.
-
-**Disadvantages:**
-
- - The CA hash is not normally known until the master has been provisioned,
-   which can make it more difficult to build automated provisioning tools that
-   use kubeadm.
-
-### Token-based discovery without CA pinning
-_This was the default in Kubernetes 1.7 and earlier_, but comes with some
-important caveats. This mode relies only on the symmetric token to sign
-(HMAC-SHA256) the discovery information that establishes the root of trust for
-the master. It's still possible in Kubernetes 1.8 and above using the
-`--discovery-token-unsafe-skip-ca-verification` flag, but you should consider
-using one of the other modes if possible.
-
-**Example `kubeadm join` command:**
-
- - `kubeadm join --discovery-token abcdef.1234567890abcdef --discovery-token-unsafe-skip-ca-verification 1.2.3.4:6443`
-
-**Advantages:**
-
- - Still protects against many network-level attacks.
-
- - The token can be generated ahead of time and shared with the master and
-   worker nodes, which can then bootstrap in parallel without coordination. This
-   allows it to be used in many provisioning scenarios.
-
-**Disadvantages:**
-
- - If an attacker is able to steal a bootstrap token via some vulnerability,
-   they can use that token (along with network-level access) to impersonate the
-   master to other bootstrapping nodes. This may or may not be an appropriate
-   tradeoff in your environment.
-
-### File or HTTPS-based discovery
-This provides an out-of-band way to establish a root of trust between the master
-and bootstrapping nodes.   Consider using this mode if you are building automated provisioning
-using kubeadm.
-
-**Example `kubeadm join` commands:**
-
- - `kubeadm join --discovery-file path/to/file.conf` (local file)
-
- - `kubeadm join --discovery-file https://url/file.conf` (remote HTTPS URL)
-
-**Advantages:**
-
- - Allows bootstrapping nodes to securely discover a root of trust for the
-   master even if other worker nodes or the network are compromised.
-
-**Disadvantages:**
-
- - Requires that you have some way to carry the discovery information from
-   the master to the bootstrapping nodes. This might be possible, for example,
-   via your cloud provider or provisioning tool. The information in this file is
-   not secret, but HTTPS or equivalent is required to ensure its integrity.
-
- - Less convenient to use manually since the file is difficult to copy and paste
-   between nodes.
-
-## Use kubeadm with other CRI runtimes
-
-Since [Kubernetes 1.6 release](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG.md#node-components-1),
-Kubernetes container runtimes have been transferred to using CRI by default.
-Currently, the built-in container runtime is Docker which is enabled by built-in
-`dockershim` in `kubelet`.
-
-Using other CRI based runtimes with kubeadm is very simple, and currently
-supported runtimes are:
-
-- [cri-o](https://github.com/kubernetes-incubator/cri-o)
-- [frakti](https://github.com/kubernetes/frakti)
-- [rkt](https://github.com/kubernetes-incubator/rktlet)
-
-After you have successfully installed `kubeadm` and `kubelet`, please follow
-these two steps:
-
-1. Install runtime shim on every node. You will need to follow the installation
-   document in the runtime shim project listing above.
-
-1. Configure kubelet to use remote CRI runtime. Please remember to change
-   `RUNTIME_ENDPOINT` to your own value like `/var/run/{your_runtime}.sock`:
-
-```shell
-$ cat > /etc/systemd/system/kubelet.service.d/20-cri.conf <<EOF
-Environment="KUBELET_EXTRA_ARGS=--container-runtime=remote --container-runtime-endpoint=$RUNTIME_ENDPOINT --feature-gates=AllAlpha=true"
-EOF
-$ systemctl daemon-reload
-```
-
-Now `kubelet` is ready to use the specified CRI runtime, and you can continue
-with `kubeadm init` and `kubeadm join` workflow to deploy Kubernetes cluster.
-
-## Using custom images {#custom-images}
-
-By default, kubeadm will pull images from `gcr.io/google_containers`, unless
-requested kubernetes version is a ci version; in this case
-`gcr.io/kubernetes-ci-image` will be used.
-
-This behaviour can be overridden by [using kubeadm with a configuration file](#config-file).
-Allowed customization are:
-
-- provide an alternative `imageRepository` to be used instead of
-  `gcr.io/google_containers` (NB. does not works for ci version)
-  
-- provide an `unifiedControlPlaneImage` to be used instead of single image
-  for control plane components
-  
-- provide an `etcd.image` name to be used
-
-## Running kubeadm without an internet connection
-
-All of the control plane components run in Pods started by the kubelet and
-the following images are required for the cluster works will be automatically
-pulled by the kubelet if they don't exist locally while `kubeadm init` is initializing
-your master:
-
-| Image Name |  v1.7 release branch version | v1.8 release branch version
-|---|---|---|
-| gcr.io/google_containers/kube-apiserver-${ARCH} | v1.7.x | v1.8.x
-| gcr.io/google_containers/kube-controller-manager-${ARCH} | v1.7.x | v1.8.x
-| gcr.io/google_containers/kube-scheduler-${ARCH} | v1.7.x | v1.8.x
-| gcr.io/google_containers/kube-proxy-${ARCH} | v1.7.x | v1.8.x
-| gcr.io/google_containers/etcd-${ARCH} | 3.0.17 | 3.0.17
-| gcr.io/google_containers/pause-${ARCH} | 3.0 | 3.0
-| gcr.io/google_containers/k8s-dns-sidecar-${ARCH} | 1.14.4 | 1.14.4
-| gcr.io/google_containers/k8s-dns-kube-dns-${ARCH} | 1.14.4 | 1.14.4
-| gcr.io/google_containers/k8s-dns-dnsmasq-nanny-${ARCH} | 1.14.4 | 1.14.4
-
-Here `v1.7.x` means the "latest patch release of the v1.7 branch".
-
-`${ARCH}` can be one of: `amd64`, `arm`, `arm64`, `ppc64le` or `s390x`.
-
-## Managing the kubeadm drop-in file for the kubelet {#kubelet-drop-in}
-
-The kubeadm deb package ships with configuration for how the kubelet should
-be run. Note that the `kubeadm` CLI command will never touch this drop-in file.
-This drop-in file belongs to the kubeadm deb/rpm package.
-
-This is what it looks like in v1.7:
-
-```
-[Service]
-Environment="KUBELET_KUBECONFIG_ARGS=--kubeconfig=/etc/kubernetes/kubelet.conf --require-kubeconfig=true"
-Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manifests --allow-privileged=true"
-Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
-Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain=cluster.local"
-Environment="KUBELET_AUTHZ_ARGS=--authorization-mode=Webhook --client-ca-file=/etc/kubernetes/pki/ca.crt"
-Environment="KUBELET_CADVISOR_ARGS=--cadvisor-port=0"
-ExecStart=
-ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_AUTHZ_ARGS $KUBELET_CADVISOR_ARGS $KUBELET_EXTRA_ARGS
-```
-
-A breakdown of what/why:
-
-* `--kubeconfig=/etc/kubernetes/kubelet.conf` points to the kubeconfig file that
-   tells the kubelet where the API server is. This file also has the kubelet's
-   credentials.
-* `--require-kubeconfig=true` the kubelet should fail fast if the kubeconfig file
-   is not present. This makes the kubelet crash loop during the time the service is
-   started until `kubeadm init` is run.
-* `--pod-manifest-path=/etc/kubernetes/manifests` specifies from where to read
-   Static Pod manifests used for spinning up the control plane
-* `--allow-privileged=true` allows this kubelet to run privileged Pods
-* `--network-plugin=cni` uses CNI networking
-* `--cni-conf-dir=/etc/cni/net.d` specifies where to look for the
-   [CNI spec file(s)](https://github.com/containernetworking/cni/blob/master/SPEC.md)
-* `--cni-bin-dir=/opt/cni/bin` specifies where to look for the actual CNI binaries
-* `--cluster-dns=10.96.0.10` use this cluster-internal DNS server for `nameserver`
-   entries in Pods' `/etc/resolv.conf`
-* `--cluster-domain=cluster.local` uses this cluster-internal DNS domain for
-   `search` entries in Pods' `/etc/resolv.conf`
-* `--client-ca-file=/etc/kubernetes/pki/ca.crt` authenticates requests to the Kubelet
-   API using this CA certificate.
-* `--authorization-mode=Webhook` authorizes requests to the Kubelet API by `POST`-ing
-   a `SubjectAccessReview` to the API Server
-* `--cadvisor-port=0` disables cAdvisor from listening to `0.0.0.0:4194` by default.
-   cAdvisor will still be run inside of the kubelet and its API can be accessed at
-   `https://{node-ip}:10250/stats/`. If you want to enable cAdvisor to listen on a
-   wide-open port, run:
-
-   ```
-   sed -e "/cadvisor-port=0/d" -i /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
-   systemctl daemon-reload
-   systemctl restart kubelet
-   ```
-
-## Cloud provider integrations (experimental)
-
-Enabling specific cloud providers is a common request. This currently requires
-manual configuration and is therefore not yet fully supported. If you wish to do
-so, edit the kubeadm drop-in for the kubelet service
-(`/etc/systemd/system/kubelet.service.d/10-kubeadm.conf`) on all nodes,
-including the master. If your cloud provider requires any extra packages
-installed on the host, for example for volume mounting/unmounting, install those
-packages.
-
-Specify the `--cloud-provider` flag for the kubelet and set it to the cloud of your
-choice. If your cloud provider requires a configuration file, create the file
-`/etc/kubernetes/cloud-config` on every node. The exact format and content of
-that file depends on the requirements imposed by your cloud provider. If you use
-the `/etc/kubernetes/cloud-config` file, you must append it to the kubelet
-arguments as follows: `--cloud-config=/etc/kubernetes/cloud-config`
-
-Note that there is most likely other per-provider configuration that may be needed
-(IAM roles for AWS) that is currently underdocumented.
-
-Next, specify the cloud provider in the kubeadm config file.  Create a file called
-`kubeadm.conf` with the following contents:
-
-``` yaml
-kind: MasterConfiguration
-apiVersion: kubeadm.k8s.io/v1alpha1
-cloudProvider: <cloud provider>
-```
-
-Lastly, run `kubeadm init --config=kubeadm.conf` to bootstrap your cluster with
-the cloud provider.
-
-This workflow is not yet fully supported, however we hope to make it extremely
-easy to spin up clusters with cloud providers in the future. (See [this
-proposal](https://github.com/kubernetes/community/pull/128) for more
-information) The [Kubelet Dynamic
-Settings](https://github.com/kubernetes/kubernetes/pull/29459) feature may also
-help to fully automate this process in the future.
-
-
-## Environment variables
-
-**Note:** These environment variables are deprecated and will stop functioning in v1.8!
-
-There are some environment variables that modify the way that kubeadm works.
-Most users will have no need to set these. These environment variables are a
-short-term solution, eventually they will be integrated in the kubeadm
-configuration file.
-
-| Variable               | Default                                       | Description                              |
-| ---------------------- | --------------------------------------------- | ---------------------------------------- |
-| `KUBE_KUBERNETES_DIR`  | `/etc/kubernetes`                             | Where most configuration files are written to and read from |
-| `KUBE_HYPERKUBE_IMAGE` |                                               | If set, use a single hyperkube image with this name. If not set, individual images per server component will be used. |
-| `KUBE_ETCD_IMAGE`      | `gcr.io/google_containers/etcd-<arch>:3.0.17` | The etcd container image to use. |
-| `KUBE_REPO_PREFIX`     | `gcr.io/google_containers`                    | The image prefix for all images that are used. |
-
-If `KUBE_KUBERNETES_DIR` is specified, you may need to rewrite the arguments of the kubelet.
-(e.g. --kubeconfig, --pod-manifest-path)
-
-If `KUBE_REPO_PREFIX` is specified, you may need to set the kubelet flag
-`--pod-infra-container-image` which specifies which pause image to use.
-
-Defaults to `gcr.io/google_containers/pause-${ARCH}:3.0` where `${ARCH}`
-can be one of `amd64`, `arm`, `arm64`, `ppc64le` or `s390x`.
-
-```bash
-cat > /etc/systemd/system/kubelet.service.d/20-pod-infra-image.conf <<EOF
-[Service]
-Environment="KUBELET_EXTRA_ARGS=--pod-infra-container-image=<your-image>"
-EOF
-systemctl daemon-reload
-systemctl restart kubelet
-```
-
-If you want to use kubeadm with an http proxy, you may need to configure it to
-support http_proxy, https_proxy, or no_proxy.
-
-For example, if your kube master node IP address is 10.18.17.16 and you have a
-proxy which supports both http/https on 10.18.17.16 port 8080, you can use the
-following command:
-
-```bash
-export PROXY_PORT=8080
-export PROXY_IP=10.18.17.16
-export http_proxy=http://$PROXY_IP:$PROXY_PORT
-export HTTP_PROXY=$http_proxy
-export https_proxy=$http_proxy
-export HTTPS_PROXY=$http_proxy
-export no_proxy="localhost,127.0.0.1,localaddress,.localdomain.com,example.com,10.18.17.16"
-```
-
-Remember to change `proxy_ip` and add a kube master node IP address to
-`no_proxy`.
-
-## Using custom certificates {#custom-certificates}
-
-By default kubeadm will generate all the certificates needed for a cluster to run.
-You can override this behaviour by providing your own certificates.
-
-To do so, you must place them in whatever directory is specified by the
-`--cert-dir` flag or `CertificatesDir` configuration file key. By default this
-is `/etc/kubernetes/pki`.
-
-If a given certificate and private key pair both exist, kubeadm will skip the
-generation step and those files will be validated and used for the prescribed
-use-case.
-
-This means you can, for example, prepopulate `/etc/kubernetes/pki/ca.crt`
-and `/etc/kubernetes/pki/ca.key` with an existing CA, which then will be used
-for signing the rest of the certs.
-
-Only for the CA, it is possible to provide the `ca.crt` file but not the `ca.key`
-file; if all other certificates and kubeconfig files already are in place kubeadm
-recognise this condition and activates the so called "ExternalCA" mode, which also
-implies the csrsignercontroller in controller-manager won't be started.
-
-## Self-hosting the Kubernetes control plane  {#self-hosting}
-As of 1.8, kubeadm can experimentally create a _self-hosted_ Kubernetes control
-plane. This means that key components such as the API server, controller
-manager, and scheduler run as [DaemonSet pods](/docs/concepts/workloads/controllers/daemonset/)
-configured via the Kubernetes API instead of [static pods](/docs/tasks/administer-cluster/static-pod/)
-configured in the kubelet via static files.
-
-Self-hosting is alpha in kubeadm 1.8 but is expected to become the default in
-a future version. To create a self-hosted cluster, pass the `--feature-gates=SelfHosting=true`
-flag to `kubeadm init`.
-
-#### Caveats
-Kubeadm self-hosting in 1.8 has some important limitations. In particular, a
-self-hosted cluster cannot currently recover from a reboot of the master node
-without manual intervention. This and other limitations are expected to be
-resolved before self-hosting graduates from alpha.
-
-By default, self-hosted control plane pods rely on credentials loaded from
-[`hostPath`](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath)
-volumes. Except for initial creation, these credentials are not managed by
-kubeadm. You can use `--feature-gates=StoreCertsInSecrets=true` to enable an
-experimental mode where control plane credentials are loaded from Secrets
-instead. This requires very careful control over the authentication and
-authorization configuration for your cluster, and may not be appropriate for
-your environment.
-
-In 1.8, the self-hosted portion of the control plane does not include etcd,
-which still runs as a static pod.
-
-#### Process
-The self-hosting bootstrap process is documented in [the kubeadm 1.8 design
-document](https://github.com/kubernetes/kubeadm/blob/master/docs/design/design_v1.8.md#optional-self-hosting).
-In summary, `kubeadm init --feature-gates=SelfHosting=true` works as follows:
-
-  1. As usual, kubeadm creates static pod YAML files in `/etc/kubernetes/manifests/`.
-
-  1. Kubelet loads these files and launches the initial static control plane.
-    Kubeadm waits for this initial static control plane to be running and
-    healthy. This is identical to the `kubeadm init` process without self-hosting.
-
-  1. Kubeadm uses the static control plane pod manifests to construct a set of
-    DaemonSet manifests that will run the self-hosted control plane.
-
-  1. Kubeadm creates DaemonSets in the `kube-system` namespace and waits for the
-    resulting pods to be running.
-
-  1. Once the new control plane is running (but not yet active), kubeadm deletes
-    the static pod YAML files. This triggers kubelet to stop those static pods.
-
-  1. When the original static control plane stops, the new self-hosted control
-    plane is able to bind to listening ports and become active.
-
-This process (steps 3-6) can also be triggered with `kubeadm phase selfhosting convert-from-staticpods`.
-
-## Customising the control plane with custom arguments {#custom-args}
-
-If you would like to override or extend the behaviour of a control plane component, you can provide 
-extra arguments to kubeadm. When the component is deployed, it will use these additional arguments _in its 
-pod command_. 
-
-For example, to add flag `--feature-gates=APIResponseCompression=true` to kube-apiserver, your [configuration file](#sample-master-configuration) 
-will need to look like this:
-
-```
-apiVersion: kubeadm.k8s.io/v1alpha1
-kind: MasterConfiguration
-apiServerExtraArgs:
-   feature-gates: APIResponseCompression=true
-```
-
-To customise the scheduler or controller-manager, use `schedulerExtraArgs` and `controllerManagerExtraArgs` respectively.
-
-More information on custom arguments can be found here:
-
-- [kube-apiserver](https://kubernetes.io/docs/admin/kube-apiserver/)
-- [kube-controller-manager](https://kubernetes.io/docs/admin/kube-controller-manager/)
-- [kube-scheduler](https://kubernetes.io/docs/admin/kube-scheduler/)
-
-## Releases and release notes
-
-If you already have kubeadm installed and want to upgrade, run `apt-get update
-&& apt-get upgrade` or `yum update` to get the latest version of kubeadm.
-
-Refer to the
-[CHANGELOG.md](https://git.k8s.io/kubeadm/CHANGELOG.md)
-for more information.
diff --git a/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md b/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md
new file mode 100755
index 0000000000000..6ebe19127b86e
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md
@@ -0,0 +1,261 @@
+---
+approvers:
+- mikedanese
+- luxas
+- jbeda
+title: kubeadm alpha
+---
+`kubeadm alpha` provides a preview of a set of features made available for gathering feedback
+ from the community. Please try it out and give us feedback!
+{: .caution}
+
+In v1.8.0, kubeadm introduced the `kubeadm alpha phase` command with the aim of making kubeadm more modular. This modularity enables you to invoke atomic sub-steps of the boostrap process; you can let kubeadm do some parts and fill in yourself where you need customizations.
+
+`kubeadm alpha phase` is consistent with [kubeadm init workflow](kubeadm-init.md#init-workflow), 
+and behind the scene both use the same code.
+
+* [kubeadm alpha phase preflight](#cmd-phase-preflight)
+* [kubeadm alpha phase certs](#cmd-phase-certs)
+* [kubeadm alpha phase kubeconfig](#cmd-phase-kubeconfig)
+* [kubeadm alpha phase controlplane](#cmd-phase-controlplane)
+* [kubeadm alpha phase etcd](#cmd-phase-etcd)
+* [kubeadm alpha phase mark-master](#cmd-phase-mark-master)
+* [kubeadm alpha phase bootstrap-token](#cmd-phase-bootstrap-token)
+* [kubeadm alpha phase upload-config](#cmd-phase-upload-config)
+* [kubeadm alpha phase addon](#cmd-phase-addon)
+* [kubeadm alpha phase selfhosting](#cmd-phase-self-hosting)
+
+## kubeadm alpha phase preflight {#cmd-phase-preflight}
+
+You can execute preflight checks both for he tmaster node, like in `kubeadm init`, or for the worker node
+like in `kubeadm join`.
+
+{% capture preflight_master %}
+{% include_relative generated/kubeadm_alpha_phase_preflight_master.md %}
+{% endcapture %}
+
+{% capture preflight_node %}
+{% include_relative generated/kubeadm_alpha_phase_preflight_node.md %}
+{% endcapture %}
+
+{% assign tab_set_name = "tab-preflight" %}
+{% assign tab_names = "master,node" | split: ',' | compact %}
+{% assign tab_contents = site.emptyArray | push: preflight_master | push: preflight_node %}
+
+{% include tabs.md %}
+
+## kubeadm alpha phase certs {#cmd-phase-certs}
+
+You can create all required certificates with the `all` sub command or selectively create certificates.
+
+{% capture certs_all %}
+{% include_relative generated/kubeadm_alpha_phase_certs_all.md %}
+{% endcapture %}
+
+{% capture certs_ca %}
+{% include_relative generated/kubeadm_alpha_phase_certs_ca.md %}
+{% endcapture %}
+
+{% capture certs_apiserver %}
+{% include_relative generated/kubeadm_alpha_phase_certs_apiserver.md %}
+{% endcapture %}
+
+{% capture certs_apiserver-kubelet-client %}
+{% include_relative generated/kubeadm_alpha_phase_certs_apiserver-kubelet-client.md %}
+{% endcapture %}
+
+{% capture certs_sa %}
+{% include_relative generated/kubeadm_alpha_phase_certs_sa.md %}
+{% endcapture %}
+
+{% capture certs_front-proxy-ca %}
+{% include_relative generated/kubeadm_alpha_phase_certs_front-proxy-ca.md %}
+{% endcapture %}
+
+{% capture certs_front-proxy-client %}
+{% include_relative generated/kubeadm_alpha_phase_certs_front-proxy-client.md %}
+{% endcapture %}
+
+{% assign tab_set_name = "tab-certs" %}
+{% assign tab_names = "all,ca,apiserver,apiserver-kubelet-client,sa,front-proxy-ca,front-proxy-client" | split: ',' | compact %}
+{% assign tab_contents = site.emptyArray | push: certs_all | push: certs_ca | push: certs_apiserver | push: certs_apiserver-kubelet-client | push: certs_sa | push: certs_front-proxy-ca | push: certs_front-proxy-client %}
+
+{% include tabs.md %}
+
+## kubeadm alpha phase kubeconfig {#cmd-phase-kubeconfig}
+
+You can create all required kubeconfig files with the `all` sub command, or selectively create the files. Additionally, the `user` sub command supports the creation of kubeconfig files for additional users.
+
+{% capture kubeconfig_all %}
+{% include_relative generated/kubeadm_alpha_phase_kubeconfig_all.md %}
+{% endcapture %}
+
+{% capture kubeconfig_admin %}
+{% include_relative generated/kubeadm_alpha_phase_kubeconfig_admin.md %}
+{% endcapture %}
+
+{% capture kubeconfig_kubelet %}
+{% include_relative generated/kubeadm_alpha_phase_kubeconfig_kubelet.md %}
+{% endcapture %}
+
+{% capture kubeconfig_controller-manager %}
+{% include_relative generated/kubeadm_alpha_phase_kubeconfig_controller-manager.md %}
+{% endcapture %}
+
+{% capture kubeconfig_scheduler %}
+{% include_relative generated/kubeadm_alpha_phase_kubeconfig_scheduler.md %}
+{% endcapture %}
+
+{% capture kubeconfig_user %}
+{% include_relative generated/kubeadm_alpha_phase_kubeconfig_user.md %}
+{% endcapture %}
+
+{% assign tab_set_name = "tab-kubeconfig" %}
+{% assign tab_names = "all,admin,kubelet,controller-manager,scheduler,user" | split: ',' | compact %}
+{% assign tab_contents = site.emptyArray | push: kubeconfig_all | push: kubeconfig_admin | push: kubeconfig_kubelet | push: kubeconfig_controller-manager | push: kubeconfig_scheduler | push: kubeconfig_user %}
+
+{% include tabs.md %}
+
+## kubeadm alpha phase controlplane {#cmd-phase-controlplane}
+
+You can create all required static pod files for control plane components with the `all` sub command, 
+or selectively create the files.
+
+{% capture controlplane_all %}
+{% include_relative generated/kubeadm_alpha_phase_controlplane_all.md %}
+{% endcapture %}
+
+{% capture controlplane_apiserver %}
+{% include_relative generated/kubeadm_alpha_phase_controlplane_apiserver.md %}
+{% endcapture %}
+
+{% capture controlplane_controller-manager %}
+{% include_relative generated/kubeadm_alpha_phase_controlplane_controller-manager.md %}
+{% endcapture %}
+
+{% capture controlplane_scheduler %}
+{% include_relative generated/kubeadm_alpha_phase_controlplane_scheduler.md %}
+{% endcapture %}
+
+{% assign tab_set_name = "tab-controlplane" %}
+{% assign tab_names = "all,apiserver,controller-manager,scheduler" | split: ',' | compact %}
+{% assign tab_contents = site.emptyArray | push: controlplane_all | push: controlplane_apiserver | push: controlplane_controller-manager | push: controlplane_scheduler %}
+
+{% include tabs.md %}
+
+## kubeadm alpha phase etcd {#cmd-phase-etcd}
+
+Use the following command to create a self-hosted, local etcd instance based on a static pod file.
+
+{% capture etcd-local %}
+{% include_relative generated/kubeadm_alpha_phase_etcd_local.md %}
+{% endcapture %}
+
+{% assign tab_set_name = "tab-etcd" %}
+{% assign tab_names = "etcd local" | split: ',' | compact %}
+{% assign tab_contents = site.emptyArray | push: etcd-local %}
+
+{% include tabs.md %}
+
+## kubeadm alpha phase mark-master {#cmd-phase-mark-master}
+
+Use the following command to label the node with the `node-role.kubernetes.io/master` taint.
+
+{% capture mark-master %}
+{% include_relative generated/kubeadm_alpha_phase_mark-master.md %}
+{% endcapture %}
+
+{% assign tab_set_name = "tab-mark-master" %}
+{% assign tab_names = "mark-master" | split: ',' | compact %}
+{% assign tab_contents = site.emptyArray | push: mark-master %}
+
+{% include tabs.md %}
+
+## kubeadm alpha phase bootstrap-token {#cmd-phase-bootstrap-token}
+
+Use the following actions to fully configure bootstrap tokens.
+You can fully configure bootstrap tokens with the `all` sub command, 
+or selectively configure single elements.
+
+{% capture bootstrap-token_all %}
+{% include_relative generated/kubeadm_alpha_phase_bootstrap-token_all.md %}
+{% endcapture %}
+
+{% capture bootstrap-token_create %}
+{% include_relative generated/kubeadm_alpha_phase_bootstrap-token_create.md %}
+{% endcapture %}
+
+{% capture bootstrap-token_cluster-info %}
+{% include_relative generated/kubeadm_alpha_phase_bootstrap-token_cluster-info.md %}
+{% endcapture %}
+
+{% capture bootstrap-token_node_allow-auto-approve %}
+{% include_relative generated/kubeadm_alpha_phase_bootstrap-token_node_allow-auto-approve.md %}
+{% endcapture %}
+
+{% capture bootstrap-token_node_allow-post-csrs %}
+{% include_relative generated/kubeadm_alpha_phase_bootstrap-token_node_allow-post-csrs.md %}
+{% endcapture %}
+
+{% assign tab_set_name = "tab-bootstrap-token" %}
+{% assign tab_names = "all,create,cluster-info,node allow-auto-approve,node allow-post-csrs" | split: ',' | compact %}
+{% assign tab_contents = site.emptyArray | push: bootstrap-token_all | push: bootstrap-token_create | push: bootstrap-token_cluster-info | push: bootstrap-token_node_allow-auto-approve | push: bootstrap-token_node_allow-post-csrs %}
+
+{% include tabs.md %}
+
+## kubeadm alpha phase upload-config {#cmd-phase-upload-config}
+
+You can use this command to upload the configuration of your cluster. Alternatively, you 
+can use [kubeadm config](kubeadm-config.md).
+
+{% capture upload-config %}
+{% include_relative generated/kubeadm_alpha_phase_upload-config.md %}
+{% endcapture %}
+
+{% assign tab_set_name = "tab-upload-config" %}
+{% assign tab_names = "upload-config" | split: ',' | compact %}
+{% assign tab_contents = site.emptyArray | push: upload-config %}
+
+{% include tabs.md %}
+
+## kubeadm alpha phase addon {#cmd-phase-addon}
+
+You can install all the available addons with the `all` sub command, or 
+install them selectively.
+
+{% capture addon-all %}
+{% include_relative generated/kubeadm_alpha_phase_addon_all.md %}
+{% endcapture %}
+
+{% capture addon-kube-proxy %}
+{% include_relative generated/kubeadm_alpha_phase_addon_kube-proxy.md %}
+{% endcapture %}
+
+{% capture addon-kube-dns %}
+{% include_relative generated/kubeadm_alpha_phase_addon_kube-dns.md %}
+{% endcapture %}
+
+{% assign tab_set_name = "tab-addon" %}
+{% assign tab_names = "all,kube-proxy,kube-dns" | split: ',' | compact %}
+{% assign tab_contents = site.emptyArray | push: addon-all | push: addon-kube-proxy | push: addon-kube-dns %}
+
+{% include tabs.md %}
+
+## kubeadm alpha phase self-hosting {#cmd-phase-self-hosting}
+
+**Caution:** Self-hosting is an alpha feature. See [kubeadm init](kubeadm-init.md) documentation for self-hosting limitations.
+{: .caution}
+
+{% capture self-hosting %}
+{% include_relative generated/kubeadm_alpha_phase_selfhosting_convert-from-staticpods.md %}
+{% endcapture %}
+
+{% assign tab_set_name = "tab-self-hosting" %}
+{% assign tab_names = "self-hosting" | split: ',' | compact %}
+{% assign tab_contents = site.emptyArray | push: self-hosting %}
+
+{% include tabs.md %}
+
+## What's next
+* [kubeadm init](kubeadm-init.md) to bootstrap a Kubernetes master node
+* [kubeadm reset](kubeadm-reset.md) to revert any changes made to this host by `kubeadm init` or `kubeadm join`
diff --git a/docs/reference/setup-tools/kubeadm/kubeadm-config.md b/docs/reference/setup-tools/kubeadm/kubeadm-config.md
new file mode 100644
index 0000000000000..f1d0e09d4671d
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/kubeadm-config.md
@@ -0,0 +1,31 @@
+---
+approvers:
+- mikedanese
+- luxas
+- jbeda
+title: kubeadm config
+---
+{% capture overview %}
+Beginning with v1.8.0, kubeadm uploads the configuration of your cluster to a ConfigMap called 
+`kubeadm-config` in the `kube-system` namespace, and later reads the ConfigMap when upgrading. This enables correct configuration of system components, and provides a seamless user experience.
+
+You can use `kubeadm config view` to view the ConfigMap. If you initialized your cluster using kubeadm v1.7.x or lower, you can use `kubeadm config upload` to create a ConfigMap before you execute `kubeadm upgrade`.
+
+{% endcapture %}
+
+{% capture body %}
+## kubeadm config upload from-file {#cmd-config-from-file}
+{% include_relative generated/kubeadm_config_upload_from-file.md %}
+
+## kubeadm config upload from-flags {#cmd-config-from-flags}
+{% include_relative generated/kubeadm_config_upload_from-flags.md %}
+
+## kubeadm config view {#cmd-config-view}
+{% include_relative generated/kubeadm_config_view.md %}
+{% endcapture %}
+
+{% capture whatsnext %}
+* [kubeadm upgrade](kubeadm-upgrade.md) to upgrade a Kubernetes cluster to a newer version
+{% endcapture %}
+
+{% include templates/concept.md %}
\ No newline at end of file
diff --git a/docs/reference/setup-tools/kubeadm/kubeadm-init.md b/docs/reference/setup-tools/kubeadm/kubeadm-init.md
new file mode 100755
index 0000000000000..30e59549e9e64
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/kubeadm-init.md
@@ -0,0 +1,417 @@
+---
+approvers:
+- mikedanese
+- luxas
+- jbeda
+title: kubeadm init
+---
+{% capture overview %}
+{% endcapture %}
+
+{% capture body %}
+{% include_relative generated/kubeadm_init.md %}
+
+### Init workflow {#init-workflow}
+`kubeadm init` bootstraps a Kubernetes master node by executing the
+following steps:
+
+1. Runs a series of pre-flight checks to validate the system state
+   before making changes. Some checks only trigger warnings, others are
+   considered errors and will exit kubeadm until the problem is corrected or the
+   user specifies `--skip-preflight-checks`.
+
+1. Generates the token that additional nodes can use to register
+   themselves with the master in the future.  Optionally, the user can provide a
+   token via `--token`, as described in the
+   [kubeadm token](kubeadm-token.md) docs.
+
+1. Generates a self-signed CA to provision identities for each component
+   (including nodes) in the cluster.  It also generates client certificates to
+   be used by various components.  If the user has provided their own CA by
+   dropping it in the cert directory configured via `--cert-dir`
+   (`/etc/kubernetes/pki` by default) this step is skipped as described in the
+   [Using custom certificates](#custom-certificates) document.
+
+1. Writes kubeconfig files in `/etc/kubernetes/`  for
+   the kubelet, the controller-manager and the scheduler to use to connect to the
+   API server, each with its own identity, as well as an additional
+   kubeconfig file for administration named `admin.conf`.
+
+1. Generates static Pod manifests for the API server,
+   controller manager and scheduler. In case an external etcd is not provided,
+   an additional static Pod manifest are generated for etcd.
+
+   Static Pod manifests are written to `/etc/kubernetes/manifests`; the kubelet
+   watches this directory for Pods to create on startup.
+
+   Once control plane Pods are up and running, the kubeadm init sequence can continue.
+
+1. Apply labels and taints to the master node so that no additional workloads will 
+   run there.
+
+1. Makes all the necessary configurations for allowing node joining with the
+   [Bootstrap Tokens](/docs/admin/bootstrap-tokens/) and
+   [TLS Bootstrap](/docs/admin/kubelet-tls-bootstrapping/)
+   mechanism:
+
+   - Write a ConfigMap for making available all the information required
+     for joining, and set up related RBAC access rules.
+
+   - Ensure access to the CSR signing API for bootstrap tokens.
+
+   - Configure auto approval for new CSR requests.
+
+   See [kubeadm join](kubeadm-join.md) for additional info.
+
+1. Installs the internal DNS server and the kube-proxy addon components via the API server.  
+   Please note that although the DNS server is deployed, it will not be scheduled until CNI is installed.
+
+1. If `kubeadm init` is invoked with the alpha self-hosting feature enabled,
+   (`--feature-gates=SelfHosting=true`), the static Pod based control plane is
+   transformed into a [self-hosted control plane](#self-hosting).
+
+
+### Using kubeadm init with a configuration file {#config-file}
+
+**Caution:** The config file is
+still considered alpha and may change in future versions.
+{: .caution}
+
+It's possible to configure `kubeadm init` with a configuration file instead of command
+line flags, and some more advanced features may only be available as
+configuration file options.  This file is passed in the `--config` option.
+
+```yaml
+apiVersion: kubeadm.k8s.io/v1alpha1
+kind: MasterConfiguration
+api:
+  advertiseAddress: <address|string>
+  bindPort: <int>
+etcd:
+  endpoints:
+  - <endpoint1|string>
+  - <endpoint2|string>
+  caFile: <path|string>
+  certFile: <path|string>
+  keyFile: <path|string>
+  dataDir: <path|string>
+  extraArgs:
+    <argument>: <value|string>
+    <argument>: <value|string>
+  image: <string>
+networking:
+  dnsDomain: <string>
+  serviceSubnet: <cidr>
+  podSubnet: <cidr>
+kubernetesVersion: <string>
+cloudProvider: <string>
+nodeName: <string>
+authorizationModes:
+- <authorizationMode1|string>
+- <authorizationMode2|string>
+token: <string>
+tokenTTL: <time duration>
+selfHosted: <bool>
+apiServerExtraArgs:
+  <argument>: <value|string>
+  <argument>: <value|string>
+controllerManagerExtraArgs:
+  <argument>: <value|string>
+  <argument>: <value|string>
+schedulerExtraArgs:
+  <argument>: <value|string>
+  <argument>: <value|string>
+apiServerCertSANs:
+- <name1|string>
+- <name2|string>
+certificatesDir: <string>
+imageRepository: <string>
+unifiedControlPlaneImage: <string>
+featureGates:
+  <feature>: <bool>
+  <feature>: <bool>
+```
+
+### Passing custom arguments to control plane components {#custom-args}
+
+If you would like to override or extend the behaviour of a control plane component, you can provide 
+extra arguments to kubeadm. When the component is deployed, these additional arguments are added to 
+the Pod command itself. 
+
+For example, to add additional feature-gate arguments to the API server, your [configuration file](#config-file) 
+will need to look like this:
+
+```
+apiVersion: kubeadm.k8s.io/v1alpha1
+kind: MasterConfiguration
+apiServerExtraArgs:
+   feature-gates: APIResponseCompression=true
+```
+
+To customize the scheduler or controller-manager, use `schedulerExtraArgs` and `controllerManagerExtraArgs` respectively.
+
+More information on custom arguments can be found here:
+- [kube-apiserver](/docs/admin/kube-apiserver/)
+- [kube-controller-manager](/docs/admin/kube-controller-manager/)
+- [kube-scheduler](/docs/admin/kube-scheduler/)
+
+### Using custom images {#custom-images}
+
+By default, kubeadm pulls images from `gcr.io/google_containers`, unless
+the requested Kubernetes version is a CI version. In this case,
+`gcr.io/kubernetes-ci-image` is used.
+
+You can override this behavior by using [kubeadm with a configuration file](#config-file).
+Allowed customization are:
+
+* To provide an alternative `imageRepository` to be used instead of
+  `gcr.io/google_containers`.
+* To provide a `unifiedControlPlaneImage` to be used instead of different images for control plane components.
+* To provide a specific `etcd.image` to be used instead of the image available at`gcr.io/google_containers`.
+
+
+### Using custom certificates {#custom-certificates}
+
+By default, kubeadm generates all the certificates needed for a cluster to run.
+You can override this behavior by providing your own certificates.
+
+To do so, you must place them in whatever directory is specified by the
+`--cert-dir` flag or `CertificatesDir` configuration file key. By default this
+is `/etc/kubernetes/pki`.
+
+If a given certificate and private key pair exists, kubeadm skips the
+generation step and existing files are used for the prescribed
+use case. This means you can, for example, copy an existing CA into `/etc/kubernetes/pki/ca.crt`
+and `/etc/kubernetes/pki/ca.key`, and kubeadm will use this CA for signing the rest 
+of the certs.
+
+It is also possible to provide just the `ca.crt` file and not the 
+`ca.key` file (this is only available for the root CA file, not other cert pairs). 
+If all other certificates and kubeconfig files are in place, kubeadm recognizes 
+this condition and activates the "ExternalCA" mode, which also
+implies the CSR signer controller in the controller manager won't be started.
+
+### Managing the kubeadm drop-in file for the kubelet {#kubelet-drop-in}
+
+The kubeadm package ships with configuration for how the kubelet should
+be run. Note that the `kubeadm` CLI command never touches this drop-in file.
+This drop-in file belongs to the kubeadm deb/rpm package.
+
+This is what it looks like:
+
+
+```
+[Service]
+Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
+Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manifests --allow-privileged=true"
+Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
+Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain=cluster.local"
+Environment="KUBELET_AUTHZ_ARGS=--authorization-mode=Webhook --client-ca-file=/etc/kubernetes/pki/ca.crt"
+Environment="KUBELET_CADVISOR_ARGS=--cadvisor-port=0"
+Environment="KUBELET_CERTIFICATE_ARGS=--rotate-certificates=true --cert-dir=/var/lib/kubelet/pki"
+ExecStart=
+ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_AUTHZ_ARGS $KUBELET_CADVISOR_ARGS $KUBELET_CERTIFICATE_ARGS $KUBELET_EXTRA_ARGS
+```
+
+Here's a breakdown of what/why:
+
+* `--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf` path to a kubeconfig 
+   file that is used to get client certificates for kubelet during node join. 
+   On success, a kubeconfig file is written to the path specified by `--kubeconfig`. 
+* `--kubeconfig=/etc/kubernetes/kubelet.conf` points to the kubeconfig file that
+   tells the kubelet where the API server is. This file also has the kubelet's
+   credentials.
+* `--pod-manifest-path=/etc/kubernetes/manifests` specifies from where to read
+   static Pod manifests used for starting the control plane the control plane.
+* `--allow-privileged=true` allows this kubelet to run privileged Pods.
+* `--network-plugin=cni` uses CNI networking.
+* `--cni-conf-dir=/etc/cni/net.d` specifies where to look for the
+   [CNI spec file(s)](https://github.com/containernetworking/cni/blob/master/SPEC.md).
+* `--cni-bin-dir=/opt/cni/bin` specifies where to look for the actual CNI binaries.
+* `--cluster-dns=10.96.0.10` use this cluster-internal DNS server for `nameserver`
+   entries in Pods' `/etc/resolv.conf`.
+* `--cluster-domain=cluster.local` uses this cluster-internal DNS domain for
+   `search` entries in Pods' `/etc/resolv.conf`.
+* `--client-ca-file=/etc/kubernetes/pki/ca.crt` authenticates requests to the Kubelet
+   API using this CA certificate.
+* `--authorization-mode=Webhook` authorizes requests to the Kubelet API by `POST`-ing
+   a `SubjectAccessReview` to the API server.
+* `--cadvisor-port=0` disables cAdvisor from listening to `0.0.0.0:4194` by default.
+   cAdvisor will still be run inside of the kubelet and its API can be accessed at
+   `https://{node-ip}:10250/stats/`. If you want to enable cAdvisor to listen on a
+   wide-open port, run:
+
+   ```
+   sed -e "/cadvisor-port=0/d" -i /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
+   systemctl daemon-reload
+   systemctl restart kubelet
+   ```
+* `--rotate-certificates` auto rotate the kubelet client certificates by requesting new 
+   certificates from the `kube-apiserver` when the certificate expiration approaches.
+* `--cert-dir`the directory where the TLS certs are located.
+
+### Use kubeadm with other CRI runtimes
+
+Since the [Kubernetes 1.6 release](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG.md#node-components-1),
+Kubernetes has started using CRI as the default container runtime.
+The container runtime used by kubeadm is Docker, which is enabled through the built-in
+`dockershim` in `kubelet` mechanisms.
+
+Other CRI-based runtimes include::
+
+- [cri-o](https://github.com/kubernetes-incubator/cri-o)
+- [frakti](https://github.com/kubernetes/frakti)
+- [rkt](https://github.com/kubernetes-incubator/rktlet)
+
+After you have successfully installed `kubeadm` and `kubelet`, execute
+these two additional steps:
+
+1. Install the runtime shim on every node, following the installation
+   document in the runtime shim project listing above.
+
+1. Configure kubelet to use the remote CRI runtime. Please remember to change
+   `RUNTIME_ENDPOINT` to your own value like `/var/run/{your_runtime}.sock`:
+
+```shell
+  cat > /etc/systemd/system/kubelet.service.d/20-cri.conf <<EOF
+Environment="KUBELET_EXTRA_ARGS=--container-runtime=remote --container-runtime-endpoint=$RUNTIME_ENDPOINT --feature-gates=AllAlpha=true"
+EOF
+  systemctl daemon-reload
+```
+
+Now `kubelet` is ready to use the specified CRI runtime, and you can continue
+with the `kubeadm init` and `kubeadm join` workflow to deploy Kubernetes cluster.
+
+### Using internal IPs in your cluster
+
+In order to set up a cluster where the master and worker nodes communicate with internal IP addresses (instead of public ones), execute following steps.
+
+1. When running init, you must make sure you specify an internal IP for the API server's bind address, like so:
+
+   `kubeadm init --apiserver-advertise-address=<private-master-ip>`
+
+2. When a worker node has been provisioned, add a flag to `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` that specifies the private IP of the worker node:
+
+   `--node-ip=<private-node-ip>`
+
+3. Finally, when you run `kubeadm join`, make sure you provide the private IP of the API server addressed as defined in step 1.
+
+### Self-hosting the Kubernetes control plane  {#self-hosting}
+As of 1.8, you can experimentally create a _self-hosted_ Kubernetes control
+plane. This means that key components such as the API server, controller
+manager, and scheduler run as [DaemonSet pods](/docs/concepts/workloads/controllers/daemonset/)
+configured via the Kubernetes API instead of [static pods](/docs/tasks/administer-cluster/static-pod/)
+configured in the kubelet via static files.
+
+**Caution:** Self-hosting is alpha, but is expected to become the default in
+a future version. To create a self-hosted cluster, pass the `--feature-gates=SelfHosting=true`
+flag to `kubeadm init`.
+{: .caution}
+
+**Warning:** see self-hosted caveats and limitations. 
+{: .warning}
+
+#### Caveats
+
+Self-hosting in 1.8 has some important limitations. In particular, a
+self-hosted cluster cannot recover from a reboot of the master node
+without manual intervention. This and other limitations are expected to be
+resolved before self-hosting graduates from alpha.
+
+By default, self-hosted control plane Pods rely on credentials loaded from
+[`hostPath`](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath)
+volumes. Except for initial creation, these credentials are not managed by
+kubeadm. You can use `--feature-gates=StoreCertsInSecrets=true` to enable an
+experimental mode where control plane credentials are loaded from Secrets
+instead. This requires very careful control over the authentication and
+authorization configuration for your cluster, and may not be appropriate for
+your environment.
+
+In kubeadm 1.8, the self-hosted portion of the control plane does not include etcd,
+which still runs as a static Pod.
+
+#### Process
+The self-hosting bootstrap process is documented in the [kubeadm design
+document](https://github.com/kubernetes/kubeadm/blob/master/docs/design/design_v1.9.md#optional-self-hosting).
+In summary, `kubeadm init --feature-gates=SelfHosting=true` works as follows:
+
+  1. Waits for this bootstrap static control plane to be running and
+    healthy. This is identical to the `kubeadm init` process without self-hosting.
+
+  1. Uses the static control plane Pod manifests to construct a set of
+    DaemonSet manifests that will run the self-hosted control plane.
+    It also modifies these manifests where necessary, for example adding new volumes 
+    for secrets.
+
+  1. Creates DaemonSets in the `kube-system` namespace and waits for the
+     resulting Pods to be running.
+
+  1. Once self-hosted Pods are operational, it's associated static Pods are deleted 
+     and kubeadm moves on to install the next component. This triggers kubelet to 
+     stop those static Pods.
+
+  1. When the original static control plane stops, the new self-hosted control
+    plane is able to bind to listening ports and become active.
+
+This process (steps 3-6) can also be triggered with `kubeadm phase selfhosting convert-from-staticpods`.
+
+### Running kubeadm without an internet connection
+
+For running kubeadm without an internet connection you have to pre-pull the required master images for the version of choice:
+
+| Image Name |  v1.8 release branch version | v1.9 release branch version
+|---|---|---|
+| gcr.io/google_containers/kube-apiserver-${ARCH} | v1.8.x | v1.9.x
+| gcr.io/google_containers/kube-controller-manager-${ARCH} | v1.8.x | v1.9.x
+| gcr.io/google_containers/kube-scheduler-${ARCH} | v1.8.x | v1.9.x
+| gcr.io/google_containers/kube-proxy-${ARCH} | v1.8.x | v1.9.x
+| gcr.io/google_containers/etcd-${ARCH} | 3.0.17 | 3.1.10
+| gcr.io/google_containers/pause-${ARCH} | 3.0 | 3.0
+| gcr.io/google_containers/k8s-dns-sidecar-${ARCH} | 1.14.5 | 1.14.7
+| gcr.io/google_containers/k8s-dns-kube-dns-${ARCH} | 1.14.5 | 1.14.7
+| gcr.io/google_containers/k8s-dns-dnsmasq-nanny-${ARCH} | 1.14.5 | 1.14.7
+
+Here `v1.8.x` means the "latest patch release of the v1.8 branch".
+
+`${ARCH}` can be one of: `amd64`, `arm`, `arm64`, `ppc64le` or `s390x`.
+
+If using `--feature-gates=CoreDNS` image `coredns/coredns:0.9.10` is required (instead of `kube-dns` images).
+
+### Automating kubeadm
+
+Rather than copying the token you obtained from `kubeadm init` to each node, as
+in the [basic kubeadm tutorial](/docs/setup/independent/create-cluster-kubeadm/), you can parallelize the
+token distribution for easier automation. To implement this automation, you must
+know the IP address that the master will have after it is started.
+
+1.  Generate a token. This token must have the form  `<6 character string>.<16
+    character string>`.  More formally, it must match the regex:
+    `[a-z0-9]{6}\.[a-z0-9]{16}`.
+
+    kubeadm can generate a token for you:
+
+    ```bash
+    kubeadm token generate
+    ```
+
+1. Start both the master node and the worker nodes concurrently with this token.
+   As they come up they should find each other and form the cluster.  The same
+   `--token` argument can be used on both `kubeadm init` and `kubeadm join`.
+
+Once the cluster is up, you can grab the admin credentials from the master node
+at `/etc/kubernetes/admin.conf` and use that to talk to the cluster.
+
+Note that this style of bootstrap has some relaxed security guarantees because
+it does not allow the root CA hash to be validated with
+`--discovery-token-ca-cert-hash` (since it's not generated when the nodes are
+provisioned). For details, see the [kubeadm join](kubeadm-join.md).
+
+{% endcapture %}
+
+{% capture whatsnext %}
+* [kubeadm join](kubeadm-join.md) to bootstrap a Kubernetes worker node and join it to the cluster
+* [kubeadm upgrade](kubeadm-upgrade.md) to upgrade a Kubernetes cluster to a newer version
+* [kubeadm reset](kubeadm-reset.md) to revert any changes made to this host by `kubeadm init` or `kubeadm join`
+{% endcapture %}
+
+{% include templates/concept.md %}
\ No newline at end of file
diff --git a/docs/reference/setup-tools/kubeadm/kubeadm-join.md b/docs/reference/setup-tools/kubeadm/kubeadm-join.md
new file mode 100755
index 0000000000000..87341f4d57c4c
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/kubeadm-join.md
@@ -0,0 +1,227 @@
+---
+approvers:
+- mikedanese
+- luxas
+- jbeda
+title: kubeadm join
+---
+{% capture overview %}
+{% endcapture %}
+
+{% capture body %}
+{% include_relative generated/kubeadm_join.md %}
+
+### Join workflow 
+`kubeadm join` bootstraps a Kubernetes worker node and joins it to the cluster. 
+This action consists of the following steps:
+
+1. kubeadm downloads necessary cluster information from the API server.
+   By default, it uses the bootstrap token and the CA key hash to verify the
+   authenticity of that data. The root CA can also be discovered directly via a
+   file or URL.
+
+1. Once the cluster information is known, kubelet can start the TLS bootstrapping
+   process.
+
+   The TLS bootstrap uses the shared token to temporarily authenticate
+   with the Kubernetes API server to submit a certificate signing request (CSR); by
+   default the control plane signs this CSR request automatically.
+
+1. Finally, kubeadm configures the local kubelet to connect to the API
+   server with the definitive identity assigned to the node.
+
+### Discovery
+The kubeadm discovery has several options, each with security tradeoffs.
+The right method for your environment depends on how you provision nodes and the
+security expectations you have about your network and node lifecycles.
+
+#### Token-based discovery with CA pinning
+This is the default mode in Kubernetes 1.8 and above. In this mode, kubeadm downloads
+the cluster configuration (including root CA) and validates it using the token
+as well as validating that the root CA public key matches the provided hash and
+that the API server certificate is valid under the root CA.
+
+The CA key hash has the format `sha256:<hex_encoded_hash>`. By default, the hash value is returned in the `kubeadm join` command printed at the end of `kubeadm init` or in the output of `kubeadm token create --print-join-command`. It is in a standard format (see [RFC7469](https://tools.ietf.org/html/rfc7469#section-2.4)) and can also be calculated by 3rd party tools or provisioning systems. For example, using the OpenSSL CLI: 
+
+```bash
+openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
+```
+
+**Example `kubeadm join` command:**
+
+```
+kubeadm join --discovery-token abcdef.1234567890abcdef --discovery-token-ca-cert-hash sha256:1234..cdef 1.2.3.4:6443
+```
+
+**Advantages:**
+
+ - Allows bootstrapping nodes to securely discover a root of trust for the
+   master even if other worker nodes or the network are compromised.
+
+ - Convenient to execute manually since all of the information required fits
+   into a single `kubeadm join` command that is easy to copy and paste.
+
+**Disadvantages:**
+
+ - The CA hash is not normally known until the master has been provisioned,
+   which can make it more difficult to build automated provisioning tools that
+   use kubeadm.
+
+#### Token-based discovery without CA pinning
+_This was the default in Kubernetes 1.7 and earlier_, but comes with some
+important caveats. This mode relies only on the symmetric token to sign
+(HMAC-SHA256) the discovery information that establishes the root of trust for
+the master. It's still possible in Kubernetes 1.8 and above using the
+`--discovery-token-unsafe-skip-ca-verification` flag, but you should consider
+using one of the other modes if possible.
+
+**Example `kubeadm join` command:**
+
+```
+kubeadm join --discovery-token abcdef.1234567890abcdef --discovery-token-unsafe-skip-ca-verification 1.2.3.4:6443`
+```
+
+**Advantages:**
+
+ - Still protects against many network-level attacks.
+
+ - The token can be generated ahead of time and shared with the master and
+   worker nodes, which can then bootstrap in parallel without coordination. This
+   allows it to be used in many provisioning scenarios.
+
+**Disadvantages:**
+
+ - If an attacker is able to steal a bootstrap token via some vulnerability,
+   they can use that token (along with network-level access) to impersonate the
+   master to other bootstrapping nodes. This may or may not be an appropriate
+   tradeoff in your environment.
+
+#### File or HTTPS-based discovery
+This provides an out-of-band way to establish a root of trust between the master
+and bootstrapping nodes.   Consider using this mode if you are building automated provisioning
+using kubeadm.
+
+**Example `kubeadm join` commands:**
+
+ - `kubeadm join --discovery-file path/to/file.conf` (local file)
+
+ - `kubeadm join --discovery-file https://url/file.conf` (remote HTTPS URL)
+
+**Advantages:**
+
+ - Allows bootstrapping nodes to securely discover a root of trust for the
+   master even if the network or other worker nodes are compromised.
+
+**Disadvantages:**
+
+ - Requires that you have some way to carry the discovery information from
+   the master to the bootstrapping nodes. This might be possible, for example,
+   via your cloud provider or provisioning tool. The information in this file is
+   not secret, but HTTPS or equivalent is required to ensure its integrity.
+
+ - Less convenient to use manually since the file is difficult to copy and paste
+   between nodes.
+
+### Securing your installation even more {#securing-more}
+
+The defaults for kubeadm may not work for everyone. This section documents how to tighten up a kubeadm installation
+at the cost of some usability.
+
+#### Turning off auto-approval of node client certificates
+
+By default, there is a CSR auto-approver enabled that basically approves any client certificate request
+for a kubelet when a Bootstrap Token was used when authenticating. If you don't want the cluster to
+automatically approve kubelet client certs, you can turn it off by executing this command:
+
+```console
+$ kubectl delete clusterrole kubeadm:node-autoapprove-bootstrap
+```
+
+After that, `kubeadm join` will block until the admin has manually approved the CSR in flight:
+
+```console
+$ kubectl get csr
+NAME                                                   AGE       REQUESTOR                 CONDITION
+node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ   18s       system:bootstrap:878f07   Pending
+
+$ kubectl certificate approve node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ
+certificatesigningrequest "node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ" approved
+
+$ kubectl get csr
+NAME                                                   AGE       REQUESTOR                 CONDITION
+node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ   1m        system:bootstrap:878f07   Approved,Issued
+```
+
+Only after `kubectl certificate approve` has been run, `kubeadm join` can proceed.
+
+#### Turning off public access to the cluster-info ConfigMap
+
+In order to achieve the joining flow using the token as the only piece of validation information, a
+ ConfigMap with some data needed for validation of the master's identity is exposed publicly by
+default. While there is no private data in this ConfigMap, some users might wish to turn
+it off regardless. Doing so will disable the ability to use the `--discovery-token` flag of the
+`kubeadm join` flow. Here are the steps to do so:
+
+* Fetch the `cluster-info` file from the API Server:
+
+```console
+$ kubectl -n kube-public get cm cluster-info -o yaml | grep "kubeconfig:" -A11 | grep "apiVersion" -A10 | sed "s/    //" | tee cluster-info.yaml
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: <ca-cert>
+    server: https://<ip>:<port>
+  name: ""
+contexts: []
+current-context: ""
+kind: Config
+preferences: {}
+users: []
+```
+
+* Use the `cluster-info.yaml` file as an argument to `kubeadm join --discovery-file`.
+
+* Turn off public access to the `cluster-info` ConfigMap:
+
+```console
+$ kubectl -n kube-public delete rolebinding kubeadm:bootstrap-signer-clusterinfo
+```
+
+These commands should be run after `kubeadm init` but before `kubeadm join`.
+
+### Using kubeadm join with a configuration file {#config-file}
+
+**Caution:** The config file is
+still considered alpha and may change in future versions.
+{: .caution}
+
+It's possible to configure `kubeadm join` with a configuration file instead of command
+line flags, and some more advanced features may only be available as
+configuration file options.  This file is passed in the `--config` option.
+
+```yaml
+apiVersion: kubeadm.k8s.io/v1alpha1
+kind: NodeConfiguration
+caCertPath: <path|string>
+discoveryFile: <path|string>
+discoveryToken: <string>
+discoveryTokenAPIServers:
+- <address|string>
+- <address|string>
+nodeName: <string>
+tlsBootstrapToken: <string>
+token: <string>
+discoveryTokenCACertHashes:
+- <SHA-256 hash|string>
+- <SHA-256 hash|string>
+discoveryTokenUnsafeSkipCAVerification: <bool>
+```
+{% endcapture %}
+
+{% capture whatsnext %}
+* [kubeadm init](kubeadm-init.md) to bootstrap a Kubernetes master node
+* [kubeadm token](kubeadm-token.md) to manage tokens for `kubeadm join`
+* [kubeadm reset](kubeadm-reset.md) to revert any changes made to this host by `kubeadm init` or `kubeadm join`
+{% endcapture %}
+
+{% include templates/concept.md %}
\ No newline at end of file
diff --git a/docs/reference/setup-tools/kubeadm/kubeadm-reset.md b/docs/reference/setup-tools/kubeadm/kubeadm-reset.md
new file mode 100644
index 0000000000000..aabc331139045
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/kubeadm-reset.md
@@ -0,0 +1,31 @@
+---
+approvers:
+- mikedanese
+- luxas
+- jbeda
+title: kubeadm reset 
+---
+{% capture overview %}
+{% endcapture %}
+
+{% capture body %}
+{% include_relative generated/kubeadm_reset.md %}
+
+### External etcd clean up
+`kubeadm reset` will not delete any etcd data if external etcd is used. This means that if you run `kubeadm init` again using the same etcd endpoints, you will see state from previous clusters. 
+
+To wipe etcd data it is recommended you use a client like etcdctl, such as:
+
+```
+etcdctl del "" --prefix
+```
+
+See [etcd documentation](https://github.com/coreos/etcd/tree/master/etcdctl) for more information.
+{% endcapture %}
+
+{% capture whatsnext %}
+* [kubeadm init](kubeadm-init.md) to bootstrap a Kubernetes master node
+* [kubeadm join](kubeadm-join.md) to bootstrap a Kubernetes worker node and join it to the cluster
+{% endcapture %}
+
+{% include templates/concept.md %}
\ No newline at end of file
diff --git a/docs/reference/setup-tools/kubeadm/kubeadm-token.md b/docs/reference/setup-tools/kubeadm/kubeadm-token.md
new file mode 100644
index 0000000000000..babd2c2b6123e
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/kubeadm-token.md
@@ -0,0 +1,34 @@
+---
+approvers:
+- mikedanese
+- luxas
+- jbeda
+title: kubeadm token
+---
+{% capture overview %}
+Bootstrap tokens are used for establishing bidirectional trust between a node joining 
+the cluster and a the master node, as described in [authenticating with bootstrap tokens](/docs/admin/bootstrap-tokens/).
+
+`kubeadm-init` creates an initial token with 24h TTL. The following commands allow you to manage 
+such a token and also to create and manage new ones.
+{% endcapture %}
+
+{% capture body %}
+## kubeadm token create {#cmd-token-create}
+{% include_relative generated/kubeadm_token_create.md %}
+
+## kubeadm token delete {#cmd-token-delete}
+{% include_relative generated/kubeadm_token_delete.md %}
+
+## kubeadm token generate {#cmd-token-generate}
+{% include_relative generated/kubeadm_token_generate.md %}
+
+## kubeadm token list {#cmd-token-list}
+{% include_relative generated/kubeadm_token_list.md %}
+{% endcapture %}
+
+{% capture whatsnext %}
+* [kubeadm join](kubeadm-join.md) to bootstrap a Kubernetes worker node and join it to the cluster
+{% endcapture %}
+
+{% include templates/concept.md %}
\ No newline at end of file
diff --git a/docs/reference/setup-tools/kubeadm/kubeadm-upgrade.md b/docs/reference/setup-tools/kubeadm/kubeadm-upgrade.md
new file mode 100755
index 0000000000000..009bc8d71b58a
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/kubeadm-upgrade.md
@@ -0,0 +1,24 @@
+---
+approvers:
+- mikedanese
+- luxas
+- jbeda
+title: kubeadm upgrade
+---
+{% capture overview %}
+{% endcapture %}
+
+{% capture body %}
+## kubeadm upgrade plan {#cmd-upgrade-plan}
+{% include_relative generated/kubeadm_upgrade_plan.md %}
+
+## kubeadm upgrade apply  {#cmd-upgrade-apply}
+{% include_relative generated/kubeadm_upgrade_apply.md %}
+
+{% endcapture %}
+
+{% capture whatsnext %}
+* [kubeadm config](kubeadm-config.md) if you initialized your cluster using kubeadm v1.7.x or lower, to configure your cluster for `kubeadm upgrade`
+{% endcapture %}
+
+{% include templates/concept.md %}
\ No newline at end of file
diff --git a/docs/reference/setup-tools/kubeadm/kubeadm-version.md b/docs/reference/setup-tools/kubeadm/kubeadm-version.md
new file mode 100644
index 0000000000000..1395ee15ace9d
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/kubeadm-version.md
@@ -0,0 +1,15 @@
+---
+approvers:
+- mikedanese
+- luxas
+- jbeda
+title: kubeadm version 
+---
+{% capture overview %}
+{% endcapture %}
+
+{% capture body %}
+{% include_relative generated/kubeadm_version.md %}
+{% endcapture %}
+
+{% include templates/concept.md %}
\ No newline at end of file
diff --git a/docs/reference/setup-tools/kubeadm/kubeadm.md b/docs/reference/setup-tools/kubeadm/kubeadm.md
new file mode 100644
index 0000000000000..80e2b641a4726
--- /dev/null
+++ b/docs/reference/setup-tools/kubeadm/kubeadm.md
@@ -0,0 +1,21 @@
+---
+approvers:
+- mikedanese
+- luxas
+- jbeda
+title: Overview of kubeadm
+---
+Kubeadm is a tool built to provide `kubeadm init` and `kubeadm join` as best-practice “fast paths” for creating Kubernetes clusters. 
+
+kubeadm performs the actions necessary to get a minimum viable cluster up and running. By design, it cares only about bootstrapping, not about provisioning machines. Likewise, installing various nice-to-have addons, like the Kubernetes Dashboard, monitoring solutions, and cloud-specific addons, is not in scope.
+
+Instead, we expect higher-level and more tailored tooling to be built on top of kubeadm, and ideally, using kubeadm as the basis of all deployments will make it easier to create conformant clusters.
+
+## What's next
+
+* [kubeadm init](kubeadm-init.md) to bootstrap a Kubernetes master node
+* [kubeadm join](kubeadm-join.md) to bootstrap a Kubernetes worker node and join it to the cluster
+* [kubeadm upgrade](kubeadm-upgrade.md) to upgrade a Kubernetes cluster to a newer version
+* [kubeadm config](kubeadm-config.md) if you initialized your cluster using kubeadm v1.7.x or lower, to configure your cluster for `kubeadm upgrade`
+* [kubeadm token](kubeadm-token.md) to manage tokens for `kubeadm join`
+* [kubeadm reset](kubeadm-reset.md) to revert any changes made to this host by `kubeadm init` or `kubeadm join`