Kubernetes TLS Certificates Expired? Here's what you do now.
TLS certificates are a requirement for Kubernetes clusters to work. When first configured, Kubernetes creates a set of certificates that help creates secure the cluster and allow for trust between workloads. Nodes connect to one another and to the Kubernetes control plane API through via an SSL tunnel that is secured by the TLS certificates. By default, these certificates expire a year from the day of creation, and when they do, you may be faced with an error message similar to this:
[authentication.go:64] Unable to authenticate the request due to an error: [x509: certificate has expired or is not yet valid, x509: certificate has expired or is not yet valid
The first time this happens can be disconcerting, as it becomes impossible to interact with the Kubernetes API using kubectl and services such as kubelet may fail. Here is what you do when your Kubernetes certificates expire.
Step 1: Renew the certificates
If the certificates have expired, the first thing you need to do is to renew them. kubeadm can be used to create new API server certificates using the kubeadm alpha certs tools.
Log into the Kubernetes primary control-plane node and use the following kubeadm command:
$ kubeadm alpha certs renew all
This command will renew the certificates in the Kubernetes API, Kubelet, etcd nodes, and configurations.
Step 2. Manage the new configuration
The second step is to copy the new configuration with the renewed certificate to the Kubernetes configuration directory. This will allow for kubectl and other client tools which use the certificates for encryption and authentication to connect to the API again:
$ cd ~/.kube # Archive the old config file containing the out of date certificates $ mv config conf.archive.2021 # Copy the new configuration file created using kubeadm $ cp /etc/kubernetes/admin.conf config # apply permissions to your current admin user and group $ sudo chown $(id -u):$(id -g) config
Done!
The Kubernetes certificates have been renewed, the new configuration is available for kubectl and client tools, and your cluster should be ready for another year!
Comments
Loading
No results found