I get a Certificate Signing Request every 15 minutes (Kubernetes)

I get a Certificate Signing Request every 15 minutes

❯ kubectl get csr -A --sort-by=.metadata.creationTimestamp

csr-r2dwb   3h      kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-kcj2m   165m    kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-h4k8j   149m    kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-rp5k8   134m    kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-dpx5w   118m    kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-f5zlj   103m    kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-vmjrk   87m     kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-q6nz7   72m     kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-hhnfx   57m     kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-bq2dl   41m     kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-9cgws   26m     kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-xmz2k   10m     kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending

I already approved a cert via kubectl certificate approve csr-..., but nevertheless I get new CSRs every 15 minutes.

How to fix this?

root@host-cluster-control-plane-2hhtt:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Sep 11, 2023 19:57 UTC   334d            ca                      no      
apiserver                  Sep 11, 2023 19:57 UTC   334d            ca                      no      
apiserver-etcd-client      Sep 11, 2023 19:57 UTC   334d            etcd-ca                 no      
apiserver-kubelet-client   Sep 11, 2023 19:57 UTC   334d            ca                      no      
controller-manager.conf    Sep 11, 2023 19:57 UTC   334d            ca                      no      
etcd-healthcheck-client    Sep 11, 2023 19:57 UTC   334d            etcd-ca                 no      
etcd-peer                  Sep 11, 2023 19:57 UTC   334d            etcd-ca                 no      
etcd-server                Sep 11, 2023 19:57 UTC   334d            etcd-ca                 no      
front-proxy-client         Sep 11, 2023 19:57 UTC   334d            front-proxy-ca          no      
scheduler.conf             Sep 11, 2023 19:57 UTC   334d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Sep 08, 2032 19:55 UTC   9y              no      
etcd-ca                 Sep 08, 2032 19:55 UTC   9y              no      
front-proxy-ca          Sep 08, 2032 19:55 UTC   9y              no      

File /var/lib/kubelet/config.yaml

apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
  anonymous:
    enabled: false
  webhook:
    cacheTTL: 0s
    enabled: true
  x509:
    clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 0s
    cacheUnauthorizedTTL: 0s
cgroupDriver: systemd
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
cpuManagerReconcilePeriod: 0s
evictionPressureTransitionPeriod: 0s
fileCheckFrequency: 0s
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 0s
imageMinimumGCAge: 0s
kind: KubeletConfiguration
logging:
  flushFrequency: 0
  options:
    json:
      infoBufferSize: "0"
  verbosity: 0
memorySwap: {}
nodeStatusReportFrequency: 0s
nodeStatusUpdateFrequency: 0s
resolvConf: /run/systemd/resolve/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 0s
shutdownGracePeriod: 0s
shutdownGracePeriodCriticalPods: 0s
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 0s
syncFrequency: 0s
volumeStatsAggPeriod: 0s

4 hours after approving the cert, I get new CSRs again and again:

csr-xmz2k   21h     kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-d564x   16h     kubernetes.io/kubelet-serving   system:node:host-
...
...
...
csr-nn9tz   28m     kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending
csr-h9k7j   12m     kubernetes.io/kubelet-serving   system:node:host-cluster-control-plane-2hhtt   <none>              Pending