• notice
  • Congratulations on the launch of the Sought Tech site

Kubeadm install k8s cluster update certificate

 kubeadm deployment method renewal

1.1 Backup the original certificate

cp –r etc/kubernetes/pki etc/kubernetes/pki.bak

1.2 Back up the original files

cp -r /etc/kubernetes/*conf /etc/kubernetes/*conf-old

1.3 First look at the expiration time of the kubeadm client certificate

kubeadm alpha certs check-expiration


1.4 Update the cluster certificate:

kubeadm alpha certs renew all --config=/root/kubeadm.conf


kubeadm alpha certs renew all --config /root/kubeadm.conf


1.5 Replace the old config file

cp -f /etc/kubernetes/admin.conf ~/.kube/config

1.6 Configure kube-controller-manager to issue certificates automatically

vim /etc/kubernetes/manifests/kube-controller-manager.yaml
[root@k8s-master ~]# vim /etc/kubernetes/manifests/kube-controller-manager.yaml
  - command:
    - kube-controller-manager
    - --experimental-cluster-signing-duration=87600h0m0s #10 years
    - --feature-gates=RotateKubeletServerCertificate=true

1.7 Restart kube-controller-manager Pod and api-server Pod


1.8 Enable kubelet to automatically rotate certificates

By default kubelet certificate rotation is enabled:


A node node test, first check the validity period of the existing client certificate


Restart the kubelet component, it will verify the current certificate validity period and automatically renew it from kube-controller-manager


Technical otaku

Sought technology together

Related Topic


Leave a Reply