You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Regarding the Kubelet certificate renewal, the documentation says:
Note: kubelet.conf is not included in the list above because kubeadm configures kubelet for automatic certificate renewal.
I've just run through the kubeadm upgrade process (from 1.14.2 to 1.15.0) and I don't see that my kubelet certificate was rotated (it still shows the old date, which expires in under 1 month from now, rather than a year out.)
Some extra guidance in the documentation regarding how to get this certificate rotated when managing by kubeadm would be of great help.
Since kubeadm alpha certs check-expiration doesn't include the kubelet, I'm using the following command to review the expiration: echo -n | openssl s_client -connect localhost:10250 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout | grep Not
The text was updated successfully, but these errors were encountered:
the client certificate for the kubelet should automatically rotate for you.
this is managed by a specific certificate manager created inside the kubelet and kubeadm makes sure to enable this feature for you.
AFAIK, the decision on when to rotate the certificate is non-deterministic and it may happen 70 - 90% of the total lifespan of the certificate to prevent overlap on node cert rotations. 1 month before expiration seems odd, so if you find a bug make sure you log an issue in kubernetes/kubernetes and tag /sig node auth
if you wish to force the kubelet client certificate rotation you can try:
sudo mv /var/lib/kubelet/pki /var/lib/kubelet/pki-backup
sudo systemctl restart kubelet
# the pki folder should be re-created.
Thanks @neolit123. I was expecting it to rotate on update or restart of the kubelet, but since that's not the case I've manually performed the restart after deleting the pki folder and it now reports having an updated certificate. I'll close this issue. If it doesn't update in the future, I'll know there's a bug.
Regarding the Kubelet certificate renewal, the documentation says:
I've just run through the kubeadm upgrade process (from 1.14.2 to 1.15.0) and I don't see that my kubelet certificate was rotated (it still shows the old date, which expires in under 1 month from now, rather than a year out.)
Some extra guidance in the documentation regarding how to get this certificate rotated when managing by kubeadm would be of great help.
Since
kubeadm alpha certs check-expiration
doesn't include the kubelet, I'm using the following command to review the expiration:echo -n | openssl s_client -connect localhost:10250 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout | grep Not
The text was updated successfully, but these errors were encountered: