2

We have a bare-metal k8 cluster deployed using Kubespray, its certificates are expiring soon.

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '

To update certificates, followed given instructions in official guide.

kubeadm certs renew all

Then removed manifest files in /etc/kubernetes/manifests/ one by one, but api-server did not restart after moving its manifest back to /etc/kubernetes/manifests, had to manually restart the node.

Here, suggest to restart docker container.

My questions are:

  1. What is the most secure way to update certificates (node restart or docker restart).
  2. How is the performance impact during this certificate update process?
  3. Is there a way to define certificate life time in kubespray installation?

Kubernetes version : 1.18.8
Kubeadm : v1.18.8
OS : Ubuntu 18.04

Wytrzymały Wiktor
  • 731
  • 3
  • 10
Sachith Muhandiram
  • 193
  • 3
  • 8

1 Answers1

1
  1. Alternatively from temporarily removing its manifest files from /etc/kubernetes/manifests/ and waiting for 20 seconds you can try to restart docker as described in your link, I've found a similar workaround here.

  2. When a root CA certificate update is in progress, kubernetes components (apiserver, scheduler, controller-manager, kubelet) and application pods will be restarted. Since the update is a rolling update, system will be functioning as usual but there will be small performance impact during the update. The user should update the host sequentially so the impact can be minimized. https://docs.starlingx.io/specs/specs/stx-6.0/approved/security-2008675-kubernetes-rootca-update.html

  3. As per this issue it looks like there is no such way.
Jakub Siemaszko
  • 136
  • 3