kubeadm
creates certificates for the Kubernetes control plane that are valid for one year. They will be renewed on every Kubernetes upgrade. Since it is definitely a good idea to update a Kubernetes cluster at least once per year, this should lead to never expiring certificates.
However, we have some Kubernetes clusters running in air-gap environments (absolutely no Internet connection) where there is no guarantee that they will ever see updates. Certificates expiring within one year are not acceptable in such environments. Extending the certificate lifetime would be one idea to remedy this setup, but automatically renewing the certificates appears to be the better solution. This can easily be done with kubeadm alpha certs renew all
(Kubernetes 1.15) run by cron or a systemd timer on every master node.
I have noticed that the API server, controller manager, and scheduler do not pickup the new certificates. Is there any way to notify these components of the new certificates? Even destroying the Pods is not that simple because the control plane Pods are static and kubectl delete pod
just deletes the mirror Pod but does not kill the containers. Some error-prone docker |grep …
could do the job but I am wondering if there is an API call or a smarter way to do it. I have not found any further docs on this topic.