Score:2

Kubernetes manual certificate renewal - apiserver ceritificate update failed

kr flag

We have a bare-metal k8 cluster deployed using Kubespray, its certificates are expiring soon.

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '

To update certificates, followed given instructions in official guide.

kubeadm certs renew all

Then removed manifest files in /etc/kubernetes/manifests/ one by one, but api-server did not restart after moving its manifest back to /etc/kubernetes/manifests, had to manually restart the node.

Here, suggest to restart docker container.

My questions are:

  1. What is the most secure way to update certificates (node restart or docker restart).
  2. How is the performance impact during this certificate update process?
  3. Is there a way to define certificate life time in kubespray installation?

Kubernetes version : 1.18.8
Kubeadm : v1.18.8
OS : Ubuntu 18.04

Score:1
jp flag
  1. Alternatively from temporarily removing its manifest files from /etc/kubernetes/manifests/ and waiting for 20 seconds you can try to restart docker as described in your link, I've found a similar workaround here.
  2. When a root CA certificate update is in progress, kubernetes components (apiserver, scheduler, controller-manager, kubelet) and application pods will be restarted. Since the update is a rolling update, system will be functioning as usual but there will be small performance impact during the update. The user should update the host sequentially so the impact can be minimized. https://docs.starlingx.io/specs/specs/stx-6.0/approved/security-2008675-kubernetes-rootca-update.html

  3. As per this issue it looks like there is no such way.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.