Kubernetes > Renew TLS certificates with kubeadm
Prerequisite: Some basics of kubeadm, HTTPS, SSL, TLS
TLS certificates are installed for the components of the Kubernetes system to ensure secure communication. TLS stands for Tranport layer security
In a k8s cluster launched or bootstrapped by kubeadm, Most of the TLS certificates with extension .crt are stored in the /etc/kubernetes/pki directory. PKI stands for Public Key Infrastructure
networkandcode@k8s-master:~ ls /etc/kubernetes/pki/
apiserver-etcd-client.crt
apiserver-kubelet-client.crt apiserver.crt ca.crt etcd front-proxy-ca.key front-proxy-client.key sa.pub
apiserver-etcd-client.key apiserver-kubelet-client.key apiserver.key ca.key front-proxy-ca.crt front-proxy-client.crt sa.key
TLS certficates for the etcd cluster are stored in the etcd directory
etcd is a key value style data store for the cluster
networkandcode@k8s-master:~ ls /etc/kubernetes/pki/etcd
ca.crt
ca.key healthcheck-client.crt healthcheck-client.key peer.crt peer.key server.crt server.key
Few other TLS certificates are embedded in config files with extension .conf, located in /etc/kubernetes
networkandcode@k8s-master:~ ls /etc/kubernetes/*.conf
/etc/kubernetes/admin.conf
/etc/kubernetes/controller-manager.conf /etc/kubernetes/kubelet.conf /etc/kubernetes/scheduler.conf
Let's view the list of TLS certificates and their expiry info.
This list wouldn't contain kubelet.conf as the TLS certificate embedded in kubelet.conf is renewed automatically by kubeadm and hence it doesn't need manual renewal. The default lifetime of these TLS certificates generated by kubeadm is 365 days i.e. 1 year
networkandcode@k8s-master:~ sudo kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Aug 08, 2020 03:54 UTC 347d no
apiserver Aug 08, 2020 03:54 UTC 347d no
apiserver-etcd-client Aug 08, 2020 03:54 UTC 347d no
apiserver-kubelet-client Aug 08, 2020 03:54 UTC 347d no
controller-manager.conf Aug 08, 2020 03:54 UTC 347d no
etcd-healthcheck-client Aug 08, 2020 03:54 UTC 347d no
etcd-peer Aug 08, 2020 03:54 UTC 347d no
etcd-server Aug 08, 2020 03:54 UTC 347d no
front-proxy-client Aug 08, 2020 03:54 UTC 347d no
scheduler.conf Aug 08, 2020 03:54 UTC 347d no
All the TLS certficates are renewed automatically when the cluster is upgraded using kubeadm. We may also manually renew TLS certificates any time, by issuing the following command on each of the masters. We could either renew a specific certificate after by mentioning the name of the certificate after 'certs renew', or renew all the certificates as follows using the keyword 'all'
networkandcode@k8s-master:~ sudo kubeadm alpha certs renew all
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healtcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Let's check the certificate expiry info again
networkandcode@k8s-master:~ sudo kubeadm alpha certs check-expiration
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Aug 25, 2020 12:53 UTC 364d no
apiserver Aug 25, 2020 12:53 UTC 364d no
apiserver-etcd-client Aug 25, 2020 12:53 UTC 364d no
apiserver-kubelet-client Aug 25, 2020 12:53 UTC 364d no
controller-manager.conf Aug 25, 2020 12:53 UTC 364d no
etcd-healthcheck-client Aug 25, 2020 12:53 UTC 364d no
etcd-peer Aug 25, 2020 12:53 UTC 364d no
etcd-server Aug 25, 2020 12:53 UTC 364d no
front-proxy-client Aug 25, 2020 12:53 UTC 364d no
scheduler.conf Aug 25, 2020 12:53 UTC 364d no
--end-of-post--