How to renew kubernetes certificates3 min read

We need your support!!
Other Amount:
techrunnr.com:
24-Hour Flash Sale. Courses from just ₹ 490.
Prabhin Prabharkaran Administrator
DevOps Engineer

He is a Technical professional. He is a person who loves to share tricks and tips on the Internet. He Posts what he does!

follow me

During the setup of the Kubernetes cluster, you might have seen a folder called /etc/kubernetes/pki is created. If you go inside that folder you can see many certificates and Keys have been created.

These certificates are been used for interconnection between the components of Kubernetes such as client-to-server, api-server to etcd, kubelet to api-server, etc, For all these connections are enabled with TLS.

By default when you setup Kubernetes cluster these certificates are created for one year, except the Kubernetes CA

Here we have 3 CA in Kubernetes,

  • ca
  • etcd-ca
  • front-proxy ca

The CA is valid for 9 years. So the chances of periodic renewal of the CA are very less compared to other certificates. whereas other certificates you need to renew once a year, otherwise, it will break the functionality of the Kubernetes cluster.

 

Below is the command to check when certificates expire.

kubeadm alpha certs check-expiration

for kubernetes1.19+

kubeadm certs check-expiration

Below is the expected output.


CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 26, 2022 08:45 UTC   364d                                    no
apiserver                  Aug 26, 2022 08:45 UTC   364d            ca                      no
apiserver-etcd-client      Aug 26, 2022 08:33 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Aug 26, 2022 08:33 UTC   364d            ca                      no
controller-manager.conf    Aug 26, 2022 08:45 UTC   364d                                    no
etcd-healthcheck-client    Aug 26, 2022 08:33 UTC   364d            etcd-ca                 no
etcd-peer                  Aug 26, 2022 08:45 UTC   364d            etcd-ca                 no
etcd-server                Aug 26, 2022 08:33 UTC   364d            etcd-ca                 no
front-proxy-client         Aug 26, 2022 08:33 UTC   364d            front-proxy-ca          no
scheduler.conf             Aug 26, 2022 08:45 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 24, 2031 08:33 UTC   9y              no
etcd-ca                 Aug 24, 2031 08:33 UTC   9y              no
front-proxy-ca          Aug 24, 2031 08:33 UTC   9y              no

Let’s assume that you need to renew etcd-server certificate and key, kubeadm utility help you renew the certificate

Before renewing it’s recommended to perform the backup of /etc/kubernetes/pki folder .

 

Execute the below command.

kubeadm alpha certs renew etcd-server

Expected Output

certificate for serving etcd renewed

This will renew the certificate for etcd-server, for verification you can check the timestamp of the server.crt and server.key file under /etc/kubernetes/pki/etcd folder

 

Another way of verification is to use the same expiry command

 

kubeadm alpha certs check-expiration

 

from this, you will be able to understand that certificate expiry data has been changes.

You can do for all the certificates in the Kubernetes cluster based on the requirement.

replace the name with the certificate name

kubeadm alpha certs renew <certficiate-name>

 

1.19+ version can remove the alpha keyword from the command.

so it will be like

kubeadm certs renew <certificate-name>

ex:

kubeadm alpha certs renew apiserver-kubelet-client
kubeadm alpha certs renew apiserver
kubeadm alpha certs renew front-proxy-client
kubeadm alpha certs renew apiserver-etcd-client

We need your support!!
Other Amount:
techrunnr.com:
#1
#2
#3
Questions Answered
Articles Written
Overall Points

Prabhin Prabharkaran

He is Technical professional. He is a person who loves to share tricks and tips on the Internet. He Posts what he does!!

You may also like...

Leave a Reply