Improvement for k8s.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/ #15292
Comments
|
the client certificate for the kubelet should automatically rotate for you. this is managed by a specific certificate manager created inside the kubelet and kubeadm makes sure to enable this feature for you. AFAIK, the decision on when to rotate the certificate is non-deterministic and it may happen 70 - 90% of the total lifespan of the certificate to prevent overlap on node cert rotations. 1 month before expiration seems odd, so if you find a bug make sure you log an issue in kubernetes/kubernetes and tag if you wish to force the kubelet client certificate rotation you can try: xref kubernetes/kubernetes#65991 cc @jimangel @fabriziopandini |
k8s-ci-robot
added
the
sig/cluster-lifecycle
|
Thanks @neolit123. I was expecting it to rotate on update or restart of the kubelet, but since that's not the case I've manually performed the restart after deleting the pki folder and it now reports having an updated certificate. I'll close this issue. If it doesn't update in the future, I'll know there's a bug. |
Regarding the Kubelet certificate renewal, the documentation says:
I've just run through the kubeadm upgrade process (from 1.14.2 to 1.15.0) and I don't see that my kubelet certificate was rotated (it still shows the old date, which expires in under 1 month from now, rather than a year out.)
Some extra guidance in the documentation regarding how to get this certificate rotated when managing by kubeadm would be of great help.
Since
kubeadm alpha certs check-expirationdoesn't include the kubelet, I'm using the following command to review the expiration:echo -n | openssl s_client -connect localhost:10250 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout | grep NotThe text was updated successfully, but these errors were encountered: