This is the 30th day of my participation in the First Challenge 2022, for more details: First Challenge 2022

The Kubernetes certificate expires

The phenomenon of

There is a certificate issue when installing a Kubernetes cluster using kubeadm: the client certificate generated by kubeadm expires after 1 year.

When the kubernetes cluster certificate expires, the Kubernetes cluster cannot be used normally, for example: The kubectl command is executed with an error (You must be logged in to the server(unauthorized)) or an error indicating that the certificate has expired occurs when resources are accessed through the K8S interface.

Obviously, this is caused by the expiration of the certificate, and you just need to update the certificate.

Why does K8S set the validity period of the client certificate to 1 year?

Kubeadm will update all certificates during the control plane upgrade.

If you have no special requirements for updating such certificates and perform Kubernetes version upgrades regularly (with intervals of less than 1 year between each upgrade), kubeadm will ensure that your cluster is kept up to date and reasonably secure.

The best practice is to upgrade the cluster frequently to ensure security.

The solution

In practice, if you encounter a certificate expiration, you need to manually update your certificate. Use the kubeadm certs renew command to manually update your certificate.

1. Check the certificate expiration time.

   On the Master node, run the kubeadm certs check-expiration command to view the certificate expiration time.

   Output similar to the following:

   CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
   admin.conf                 Dec 30, 2020 23:36 UTC   364d                                    no
   apiserver                  Dec 30, 2020 23:36 UTC   364d            ca                      no
   apiserver-etcd-client      Dec 30, 2020 23:36 UTC   364d            etcd-ca                 no
   apiserver-kubelet-client   Dec 30, 2020 23:36 UTC   364d            ca                      no
   controller-manager.conf    Dec 30, 2020 23:36 UTC   364d                                    no
   etcd-healthcheck-client    Dec 30, 2020 23:36 UTC   364d            etcd-ca                 no
   etcd-peer                  Dec 30, 2020 23:36 UTC   364d            etcd-ca                 no
   etcd-server                Dec 30, 2020 23:36 UTC   364d            etcd-ca                 no
   front-proxy-client         Dec 30, 2020 23:36 UTC   364d            front-proxy-ca          no
   scheduler.conf             Dec 30, 2020 23:36 UTC   364d                                    no
   
   CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
   ca                      Dec 28, 2029 23:36 UTC   9y              no
   etcd-ca                 Dec 28, 2029 23:36 UTC   9y              no
   front-proxy-ca          Dec 28, 2029 23:36 UTC   9y              no
   Copy the code

2. Back up certificates.

   To prevent certificate update failures, back up data before key operations. Backup /etc/kubernetes directory

   cp -r /etc/kubernetes /etc/kubernetes.old  If the upgrade certificate fails, you can restore this folder to restore the original cluster
   Copy the code

3. Update the certificate.

   Use the kubeadm certs renew command to update the certificate.

4. Update ~/.kube/config file.

   mv config config.old
   cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
   chown $(id -u):$(id -g) $HOME/.kube/config
   sudo chmod 644 $HOME/.kube/config
   Copy the code

5. Restart.

   Kube-apiserver; kube-Controller; kube-Scheduler; etCD;

   docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash

Reference:

Use kubeadm for certificate management