Kubernetes certificate management
Your cluster has been running for some time, and part of the role of a cluster admin is to check the expired cluster certificates and renew them if needed. To start, we need to check the status of the certificate.
Check Certificate Expiration
All cluster certificates are in the/etc/kubernetes/pki folder and generated by kubeadm. If you run cat, the outcome should be a list of: ca.crt and ca. key. The ca.crt is the CA that checks the exertion of all other certificates. Using kubeadm, we can run the following command to check the certificate’s expiration status, generate certificate keys, generate signing requests, and renew certificates for Kubernetes clusters.
kubeadm certs check-expiration (don’t forget to use sudo as it used the /etc/kubernetes/admin.conf and needs permission). It will list all certificates in the cluster, including certifications for the admin user, apiserver, etcd, and more. For each, it will indicate when it expires. You will also find the CA server passes, etc-ca, and front-proxy-ca. They are valid for 10 years. Client certificates are valid for 1 year and must be renewed yearly. Another option to view certificate expiration is via SSL certificate, and for that, we should execute the following:
openssl x509 -in /etc/kubernetes/pki/ca.crt -text -not we will see the certificate’s start date and end date, the certificate detailed like encryption algorithm, and the issuer. There is no need to renew the certificates if you regularly upgrade your cluster, as it reviews and updates the credentials automatically.
Renew certificates
If you want to renew the certificates yourself, you should do it via kubeadm; you can review all certificates you view using: kubeadm certs Renew, or you can renew a specific one, for example, the ectd-server credentials only. There are some certificates we don’t see when using kubeadm certs renew, like admin user cert, controller-manager, or scheduler-manager as their certificated are embedded into the config files that have been generated. Remember, the kubeconfig files contain client certificate data only. An example of renew certificate execution is kubeadm certs continue apiserver (remember sudo). It will automatically resume its certificate.
Let's connect