5 minute read

Renewing Kubernetes Certificates

We can use the kubeadm certs check-expiration command to verify the expiry date of all certificates used in the K8s cluster.

Last login: Tue Oct 11 22:58:56 2022 from 172.25.11.254

[pradeep@kubernetes-cluster-1 ~]$ sudo kubeadm certs check-expiration

[sudo] password for pradeep: 

[check-expiration] Reading configuration from the cluster...

[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'



CERTIFICATE        EXPIRES         RESIDUAL TIME  CERTIFICATE AUTHORITY  EXTERNALLY MANAGED

admin.conf         Sep 01, 2023 06:05 UTC  323d                  no    

apiserver         Sep 01, 2023 06:05 UTC  323d      ca           no    

apiserver-etcd-client   Sep 01, 2023 06:05 UTC  323d      etcd-ca         no    

apiserver-kubelet-client  Sep 01, 2023 06:05 UTC  323d      ca           no    

controller-manager.conf  Sep 01, 2023 06:05 UTC  323d                  no    

etcd-healthcheck-client  Sep 01, 2023 06:05 UTC  323d      etcd-ca         no    

etcd-peer         Sep 01, 2023 06:05 UTC  323d      etcd-ca         no    

etcd-server        Sep 01, 2023 06:05 UTC  323d      etcd-ca         no    

front-proxy-client     Sep 01, 2023 06:05 UTC  323d      front-proxy-ca     no    

scheduler.conf       Sep 01, 2023 06:05 UTC  323d                  no    



CERTIFICATE AUTHORITY  EXPIRES         RESIDUAL TIME  EXTERNALLY MANAGED

ca           Aug 29, 2032 06:02 UTC  9y       no    

etcd-ca         Aug 29, 2032 06:02 UTC  9y       no    

front-proxy-ca     Aug 29, 2032 06:02 UTC  9y       no    

[pradeep@kubernetes-cluster-1 ~]$ 
[pradeep@desktop ~]$ ssh 172.25.11.44

Warning: Permanently added '172.25.11.44' (ECDSA) to the list of known hosts.

pradeep@172.25.11.44's password: 

Activate the web console with: systemctl enable --now cockpit.socket



Last login: Wed Oct 12 03:45:03 2022 from 172.25.11.254



[pradeep@kubernetes-cluster-2 ~]$ sudo kubeadm certs check-expiration

[sudo] password for pradeep: 

[check-expiration] Reading configuration from the cluster...

[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'



CERTIFICATE        EXPIRES         RESIDUAL TIME  CERTIFICATE AUTHORITY  EXTERNALLY MANAGED

admin.conf         Sep 01, 2023 06:24 UTC  323d                  no    

apiserver         Sep 01, 2023 06:24 UTC  323d      ca           no    

apiserver-etcd-client   Sep 01, 2023 06:24 UTC  323d      etcd-ca         no    

apiserver-kubelet-client  Sep 01, 2023 06:24 UTC  323d      ca           no    

controller-manager.conf  Sep 01, 2023 06:24 UTC  323d                  no    

etcd-healthcheck-client  Sep 01, 2023 06:24 UTC  323d      etcd-ca         no    

etcd-peer         Sep 01, 2023 06:24 UTC  323d      etcd-ca         no    

etcd-server        Sep 01, 2023 06:24 UTC  323d      etcd-ca         no    

front-proxy-client     Sep 01, 2023 06:24 UTC  323d      front-proxy-ca     no    

scheduler.conf       Sep 01, 2023 06:24 UTC  323d                  no    



CERTIFICATE AUTHORITY  EXPIRES         RESIDUAL TIME  EXTERNALLY MANAGED

ca           Sep 06, 2031 17:21 UTC  8y       no    

etcd-ca         Sep 06, 2031 17:21 UTC  8y       no    

front-proxy-ca     Sep 06, 2031 17:21 UTC  8y       no    
[pradeep@kubernetes-cluster-2 ~]$

We can renew the certificates using the kubeadm certs renew command.

[pradeep@kubernetes-cluster-2 ~]$ sudo kubeadm certs renew -h

This command is not meant to be run on its own. See list of avaipradeeple subcommands.



Usage:

 kubeadm certs renew [flags]

 kubeadm certs renew [command]



Avaipradeeple Commands:

 admin.conf        Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself

 all           Renew all avaipradeeple certificates

 apiserver        Renew the certificate for serving the Kubernetes API

 apiserver-etcd-client  Renew the certificate the apiserver uses to access etcd

 apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet

 controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use

 etcd-healthcheck-client Renew the certificate for liveness probes to healthcheck etcd

 etcd-peer        Renew the certificate for etcd nodes to communicate with each other

 etcd-server       Renew the certificate for serving etcd

 front-proxy-client    Renew the certificate for the front proxy client

 scheduler.conf      Renew the certificate embedded in the kubeconfig file for the scheduler manager to use



Flags:

 -h, --help  help for renew



Global Flags:

   --add-dir-header      If true, adds the file directory to the header of the log messages

   --log-file string     If non-empty, use this log file

   --log-file-max-size uint  Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)

   --one-output        If true, only write logs to their native severity level (vs also writing to each lower severity level)

   --rootfs string      [EXPERIMENTAL] The path to the 'real' host root filesystem.

   --skip-headers       If true, avoid header prefixes in the log messages

   --skip-log-headers     If true, avoid headers when opening log files

 -v, --v Level         number for the log level verbosity



Use "kubeadm certs renew [command] --help" for more information about a command.

[pradeep@kubernetes-cluster-2 ~]$ 

Let us renew all certificates now

[pradeep@kubernetes-cluster-2 ~]$ sudo kubeadm certs renew all 

[renew] Reading configuration from the cluster...

[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'



certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed

certificate for serving the Kubernetes API renewed

certificate the apiserver uses to access etcd renewed

certificate for the API server to connect to kubelet renewed

certificate embedded in the kubeconfig file for the controller manager to use renewed

certificate for liveness probes to healthcheck etcd renewed

certificate for etcd nodes to communicate with each other renewed

certificate for serving etcd renewed

certificate for the front proxy client renewed

certificate embedded in the kubeconfig file for the scheduler manager to use renewed



Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

[pradeep@kubernetes-cluster-2 ~]$ sudo kubeadm certs check-expiration

[check-expiration] Reading configuration from the cluster...

[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'



CERTIFICATE        EXPIRES         RESIDUAL TIME  CERTIFICATE AUTHORITY  EXTERNALLY MANAGED

admin.conf         Oct 12, 2023 11:33 UTC  364d                  no    

apiserver         Oct 12, 2023 11:33 UTC  364d      ca           no    

apiserver-etcd-client   Oct 12, 2023 11:33 UTC  364d      etcd-ca         no    

apiserver-kubelet-client  Oct 12, 2023 11:33 UTC  364d      ca           no    

controller-manager.conf  Oct 12, 2023 11:33 UTC  364d                  no    

etcd-healthcheck-client  Oct 12, 2023 11:33 UTC  364d      etcd-ca         no    

etcd-peer         Oct 12, 2023 11:33 UTC  364d      etcd-ca         no    

etcd-server        Oct 12, 2023 11:33 UTC  364d      etcd-ca         no    

front-proxy-client     Oct 12, 2023 11:33 UTC  364d      front-proxy-ca     no    

scheduler.conf       Oct 12, 2023 11:33 UTC  364d                  no    



CERTIFICATE AUTHORITY  EXPIRES         RESIDUAL TIME  EXTERNALLY MANAGED

ca           Sep 06, 2031 17:21 UTC  8y       no    

etcd-ca         Sep 06, 2031 17:21 UTC  8y       no    

front-proxy-ca     Sep 06, 2031 17:21 UTC  8y       no    

We can see all certificates are renewed for an year from today. The expiry date has changed from Sep 01, 2023 06:24 UTC to

Oct 12, 2023 11:33 UTC.

Back to Top ↑