Certificate renewal for client certificates becomes usual process for a long running Kubernetes clusters. This blog is an implementation of the process to perform manual cert upgrade. There might be multiple business reasons to perform manual cert rotation due to stringent business requirements.
For the Kubernetes clusters installed with kubeadm, all the client certificates generated by kubeadm expire after 1 year. As a standard procedure, manual renewal is not usually required as cert rotation gets performed automatically when we perform Kubeadm upgrade.
For scenarios to perform manual certificate renewal, during the last month or week of expiry period, we can use Kubeadm commands to verify the certs and renew them for the cluster. The operations team can connect to control plane node and access the kubeadm utility to manage the certificates.
Kubeadm Cert management
Kubeadm is equipped with cert management and renewal commands.
Kubeadm command for renew
Config and certs backup
For precautionary measure, it’s advised to perform backup for Kubernetes configs and certificates.
Certificate Expiry Check
We can check the cert expiry period with follow command :
The above command shows the expiration/residual time for the client certificates. These certificates are located at /etc/kubernetes/pki on the control plane nodes of Kubernetes cluster.
NOTE
kubelet.conf is not included in the list above because kubeadm configures
kubelet for automatic certificate renewal with rotatable certificates under
/var/lib/kubelet/pki. Certs renew uses the existing certificates as the
authoritative source for attributes (Common Name, Organization, SAN, etc.)
instead of the kubeadm-config ConfigMap. It is strongly recommended to keep
them both in sync.
Implementation of manual certificate renewal
We can renew the certificates manually at any time with the kubeadm certs renew command. This command performs the renewal using CA certificate and key stored in /etc/kubernetes/pki.
For an HA Kubernetes cluster, kubeadm certs renew command needs to be executed on all the control-plane nodes.
Renew single certificate
Result of above step
Renew all certificates
Result of above step
Post implementation steps
After running the kubeadm renew command we should restart the control plane Pods. Dynamic certificate reload is currently not supported for all components and certificates. Since,Static Pods are managed by the local kubelet and not by the API Server, thus kubectl cannot be used to delete and restart them.To restart a static Pod we can temporarily remove its manifest file from /etc/kubernetes/manifests/ and wait for 20 seconds.The kubelet will terminate the Pod if it’s no longer in the manifest directory.We can then move the file back and after another fileCheckFrequency period, the kubelet will recreate the Pod and the certificate renewal for the component can complete.
Managing Kubelet certificate renewal
Kubeadm configures a kubelet with automatic rotation of client certificates by using the /var/lib/kubelet/pki/kubelet-client-current.pem symlink specified in /etc/kubernetes/kubelet.conf. In case of failure in rotation process, we might see errors such as x509: certificate has expired or is not yet valid in kube-apiserver logs. To manage the manual renewal of kubelet certificates we can follow Kubernetes doc.