Renewing certificates that are about to expire

Use this procedure to renew internal certificates that are about to expire for the Kubernetes cluster.

  1. Check the certificate validity on any master node. 
    [root@node1 ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W0710 21:38:33.484779 1233162 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [10.233.0.3]

CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jun 26, 2025 15:11 UTC 350d ca no
apiserver Jun 26, 2025 15:11 UTC 350d ca no
apiserver-kubelet-client Jun 26, 2025 15:11 UTC 350d ca no
controller-manager.conf Jun 26, 2025 15:11 UTC 350d ca no
front-proxy-client Jun 26, 2025 15:11 UTC 350d front-proxy-ca no
scheduler.conf Jun 26, 2025 15:11 UTC 350d ca no

CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jun 24, 2034 15:11 UTC 9y no
front-proxy-ca Jun 24, 2034 15:11 UTC 9y no
  2. Renew the certificates that are about to expire. 
    [root@node1 ~]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W0710 21:39:19.263073 1234844 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [10.233.0.3]

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
  3. Restart the core pods and etcd service from this master node. 
    [root@node1 ~]# kubectl delete pod -n kube-system -l component=kube-apiserver
[root@node1 ~]# kubectl delete pod -n kube-system -l component=kube-scheduler
[root@node1 ~]# kubectl delete pod -n kube-system -l component=kube-controller-manager
[root@node1 ~]# systemctl restart etcd
  4. From the master node that was just rebooted, enter the following command to allow access to the pods in the cluster. 
    cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  5. Check the new validity date of the node that has been updated. 
    [root@node1 ~]# kubeadm certs check-expiration
[root@node1 ~]#
  6. Repeat steps 1 through 5 on the remaining master and control plane nodes.
  7. From the deployer VM, refresh the deployer configuration.
    Enter the following command
    /root/bin/fss_k8s_discover.sh discover