-
Notifications
You must be signed in to change notification settings - Fork 706
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Forcibly renewing apiserver.crt, admin.conf, etc. certs; along with kubelet PEM (and restricting lifetime/duration) #1826
Comments
the kubeadm certificate lifespan is not linked to you can still rotate the kubeadm certs on any period time you prefer, but the value of 1 year cannot be changed (by design). i do not recommend using --experimental-cluster-signing-duration once this period expires you need to rotate cluster CA, which isn't an easy task, especially if you have workloads.
the only way for this to happen is the cluster operator (kubeadm user) to rotate the kubeadm certificats using
as pointed out you can rotate the kubeadm originated certificates on any perioid of time using the renew command. you don't have to upgrade https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#automatic-certificate-renewal . this is by design and not a kubeadm bug. please feel free to continue the discussion if you want. |
@neolit123: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@neolit123 Thank you for the clarication and help. The only outstanding question that comes to mind is why the base64-encoded x509 data in |
the |
@neolit123 Lastly, am I correct in assuming that, at least for |
I'll investigate that now and follow-up here (and with another issue/ticket if there's a problem). |
1.15 is still in the support skew, but maybe we merged fixes for the
kubeadm certs are only auto-rotated on upgrade, but that's still a manual trigger, so either way you are going to need a job to run periodically. |
Excellent. Thanks! |
@neolit123 I stand corrected. |
great. thanks for confirming. |
@neolit123 Another question on the topic: do the services that use these certs (i.e. in Thank you. |
the certificate rotation is important on control-plane nodes. an alternative approach would be: # temp move all static pod manifests
mv /etc/kubernetes/manifests/ /etc/kubernetes/manifests-backup
sleep 20 # enough time for the kubelet to find there are no static pods
# bring them back
mv /etc/kubernetes/manifests-backup/ /etc/kubernetes/manifests
# verify everything comes back after a while
watch kubectl get po -A |
@neolit123 Last question on the topic: would it be reasonable to expect Thank you. |
the constant you want to change is here: |
Good day, When the static pods are brought down in this manner (i.e. to rotate the certs), does it necessarily take out other pods, deployments, services, etc.; in the rest of the cluster, assuming a single-master-multi-node cluster (i.e. does it terminate and drain all running K8S pods), or does the cluster just keep churning along until the static pods come back up on the master (provided health checks or other conditions don't take out the non-static pods)? I can test this out myself, but I need to confirm the intended/documented way Lastly, would it be practical/viable to have Thank you. |
restarting the control-plane components static pods should not affect the rest of the pods and services in the cluster, but there could be some minimal downtime, until the control-plane is fully restarted. that is why it is recommended to do upgrade and/or do certificate rotation during a maintenance window.
our certificate rotation documentation is here: we even lack the restart recommendation in the "Manual certificate renewal" section. there are some other details too:
for the kubelet.conf see this note about in above link:
|
@neolit123 Good day. I raised a related topic to this. Does time permit to ping you for help/feedback this week? Thank you. |
hi, i will respond to the new ticket. |
Is this a request for help?
Yes.
What keywords did you search in kubeadm issues before filing this one?
Is this a BUG REPORT or FEATURE REQUEST?
Choose one: BUG REPORT or FEATURE REQUEST
Versions
1.15.4-00
Environment:
1.15.4-00
.5.0.0-29-generic
.What happened?
I configured the ConfigurationManager static pod to use a run-time flag to force certs to expire every 15 minutes instead of every 365 days.
sudo cat /etc/kubernetes/manifests/kube-controller-manager.yaml | grep -B20 -A5 duration
I then re-create the kubelet
PEM
cert, on the master and all nodes (or I can wait for the existing certs to expire; thePEM
rotation/updates work either way):I can confirm that the
PEM
cert has been updated. By polling via the following command, I see that it is updated periodically on the master and nodes via:sudo openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text | grep -A2 "Validity"
However, other certs (e.g. API server cert, and basically all the certs in
/etc/kubernetes/pki
on the master) have two issues:They appear to remain unchanged. This is confirmed via:
sudo openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep -A2 "Validity"
...and:
sudo kubeadm alpha certs check-expiration
Also, config files (e.g.
/etc/kubernetes/admin.conf
) also appear to be referring to out-of-date certs.sudo cat /etc/kubernetes/admin.conf | grep "certificate-authority-data" | cut -d ':' -f2- | sed "s/^\s\+//g" | base64 -d | openssl x509 -noout -text -in - | grep -A2 "Validity"
However, the certs don't get (forcibly) updated. So, I execute the following:
sudo kubeadm alpha certs renew all
Now, checking again:
sudo kubeadm alpha certs check-expiration
The certs are updated, but, the duration/lifetime is still a year, rather than 15 minutes. Additionally, it appears that
/etc/kubernetes/admin.conf
is not updated at all.sudo cat /etc/kubernetes/admin.conf | grep "certificate-authority-data" | cut -d ':' -f2- | sed "s/^\s\+//g" | base64 -d | openssl x509 -noout -text -in - | grep -A2 "Validity"
What you expected to happen?
/etc/kubernetes/pki/
certs would be updated (good so far), and would have a 15 minute lifetime (didn't happen; is the--experimental-cluster-signing-duration
expected to impact the config files and certs, or just thePEM
file used bykubelet
?)./etc/kubernetes/admin.conf
) would be (forcibly) updated to reflect new certificates being generated.How to reproduce it (as minimally and precisely as possible)?
CLI examples provided above.
Anything else we need to know?
I'm attempting to implement a recurring job that will execute either once every 2 hours, or once every week, for a set of isolated
kubeadm
-based bare-metal and VM-based clusters on air-gapped private networks, being used by teams of students. I need to be able to forcibly update all the certificates periodcially (i.e. much more frequently than once per year) for some labs. Since these machines have no internet access, relying on the upgrade option to automatically handle cert upgrades is not practical/viable. However, I'm now concerned that both manually and automatically driven certificate updates might not update the config files and/etc/kubernetes/pki/
certs (and would like to be able to forcibly update them and reduce their duration/lifetime like thePEM
files to confirm all certs are updated as expected).Thank you for your time and assistance.
References:
<https://github.com/kubernetes/website/issues/15292>
, last accessed 2019-10-08.<https://github.com/kubernetes/kubeadm/issues/1361>
, last accessed 2019-10-08.<https://github.com/kubernetes/kubernetes/issues/65991>
, last accessed 2019-10-08.The text was updated successfully, but these errors were encountered: