kubeadm init fails during the preflight validation phase when system prerequisites are not met. This safety check validates container runtime, port availability, swap status, and cgroup configuration before cluster initialization.
The preflight phase is kubeadm's safety gate that runs before cluster initialization. It validates system prerequisites including container runtime availability, port availability, swap status, cgroup configuration, and kernel module loading. The 'error execution phase preflight' error indicates at least one mandatory check failed. Each check ensures the system is in a valid state to run Kubernetes control plane and worker components. If any critical check fails (like swap being enabled or required ports being in use), kubeadm halts initialization to prevent a broken cluster state. When you see 'error execution phase preflight', the error message always includes the specific check that failed—this could be related to container runtime, port conflicts, leftover files, swap, cgroups, or kernel modules.
The error output always specifies which check failed. Look for the [ERROR ...] line:
Common patterns:
[ERROR Port-10250]: Port 10250 is in use
[ERROR DirAvailable--etc-kubernetes-manifests]: /etc/kubernetes/manifests is not empty
[ERROR CRI]: container runtime is not running
[ERROR Swap]: running with swap on is not supported
[ERROR SystemVerification]: missing required cgroups: cpusetThis tells you exactly which fix to apply first.
If you've run kubeadm init before and it failed, reset the state:
sudo kubeadm reset --forceFor a complete cleanup, also remove kubelet configuration:
sudo rm -rf /var/lib/kubelet/* /var/lib/etcd/*
sudo systemctl restart kubeletIf you want to remove all Kubernetes packages entirely:
sudo apt-get purge kubeadm kubectl kubelet kubernetes-cni kube*
sudo apt-get autoremove
sudo rm -rf ~/.kubeDisable swap immediately:
sudo swapoff -aMake the change permanent by editing /etc/fstab:
sudo nano /etc/fstabFind lines containing "swap" and add # to comment them out:
# /dev/mapper/ubuntu--vg-swap_1 none swap sw 0 0Verify swap is disabled:
free -hEnsure your container runtime is installed and running:
# For containerd
sudo systemctl start containerd
sudo systemctl enable containerd
sudo systemctl status containerd
# For Docker
sudo systemctl start docker
sudo systemctl enable docker
sudo systemctl status dockerIf using Docker with Kubernetes 1.24+, you must install the cri-dockerd adapter since dockershim was removed.
Check your Docker cgroup driver:
docker info | grep -i cgroupkubeadm defaults to 'systemd' for v1.22+, so change Docker to match. Create or edit /etc/docker/daemon.json:
{
"exec-opts": ["native.cgroupdriver=systemd"]
}Restart Docker:
sudo systemctl daemon-reload
sudo systemctl restart docker
sudo systemctl restart kubeletFor containerd, edit /etc/containerd/config.toml and set SystemdCgroup = true.
Load required kernel modules:
sudo modprobe br_netfilter
sudo modprobe overlayEnable IP forwarding and bridge iptables filtering:
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.bridge.bridge-nf-call-iptables=1
sudo sysctl -w net.bridge.bridge-nf-call-ip6tables=1Make these settings permanent in /etc/sysctl.d/k8s.conf:
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1Apply with:
sudo sysctl --systemThen retry kubeadm init:
sudo kubeadm init --pod-network-cidr=10.244.0.0/16While you can use --ignore-preflight-errors to skip specific checks (e.g., --ignore-preflight-errors='Swap,IsPrivilegedUser'), this should only be done if you fully understand the consequences.
On systems with cgroup v2 (newer Linux distributions like Ubuntu 22.04+, Fedora 33+), the cgroup structure is flatter and some checks behave differently. cgroup v2 supports swap with proper kubelet configuration, but v1 does not. Check your cgroup version with: stat -fc %T /sys/fs/cgroup/ (returns 'cgroup2fs' for v2).
When joining worker nodes with kubeadm join, similar preflight checks run. Node-join errors often relate to kubelet configuration, container runtime socket paths, or network connectivity to the control plane.
The preflight checks validate port availability for: API server (6443), kubelet (10250 on all nodes), and etcd (2379-2380 on control plane). Firewall rules may block kubeadm from detecting port usage.
For production setups, use kubeadm config files (kubeadm init --config=kubeadm-config.yaml) to specify container runtime, cgroup driver, and other parameters explicitly.
Failed to connect to server: connection refused (HTTP/2)
How to fix "HTTP/2 connection refused" error in Kubernetes
missing request for cpu in container
How to fix "missing request for cpu in container" in Kubernetes HPA
error: invalid configuration
How to fix "error: invalid configuration" in Kubernetes
etcdserver: cluster ID mismatch
How to fix "etcdserver: cluster ID mismatch" in Kubernetes
running with swap on is not supported
How to fix "running with swap on is not supported" in kubeadm