New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubelet certificate auto renew #2489
Comments
Ho @mrcule If you are running a multi node cluster, you will have to remove and join back in the node. |
@mrcule, some additional info on the kubelet certificate. Auto renewal (certificate rotation for the Kubelet) is not enabled by default in MicroK8s. To turn this on you will need to follow the the instructions in [1]. To check the expiration date of the certificate [1] https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/ |
Hi @balchua @ktsakalozos. |
@ktsakalozos, just tried to remove Then I tried to run |
I think I'm seeing this issue, the certificate on port the I see the error in metrics server because of this
The file doesn't appear to be created when deleted.
Until I deleted both the cert and the key and then restart microk8s and problem solved |
+1 I have a running multi-node cluster with a expired kubelet.crt too, I what to know if I recreate this cert manually, will the running pods get interrupted? Additional questions: I have found that And, iff I refresh them by running |
Hi @PRNDA, Which MicroK8s version are you using? If you are using MicroK8s 1.22 or newer no workloads will be affected by rotating certificates. The certificates you mentioned are used for:
You can refresh |
I'm using microk8s v1.23.16, thank you very much for your detailed explanation. |
Nope, no such need. The refresh certs command will generate the new certificates and restart the affected control plane services, without affecting workloads. |
I just read the refs: microk8s refresh-certs command doc I quoted it here:
|
Hmm, interesting. OK, that note in the documentation does not look correct to me. I will make sure to double check and update it accordingly. |
OK. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Hi all, I found that kubelet.crt will be expire after 1 year. Is the kubelet.crt automatically rotate? Do I need to add
--rotate-certificates
in/var/snap/microk8s/current/args/kubelet
[1]?What happen if it expired?
Also, is it possible to check when certificates expire [2]?
Thank you.
[1] : https://kubernetes.io/docs/tasks/tls/certificate-rotation/#enabling-client-certificate-rotation
[2] : https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#check-certificate-expiration
The text was updated successfully, but these errors were encountered: