Renew the certificates in an ACK dedicated cluster - Container Service for Kubernetes

To ensure the security of communication between nodes, you need to periodically check and renew the certificates of the master and worker nodes in a cluster, including the API server certificate and kubelet certificate. About two months before a certificate in an ACK dedicated cluster expires, a red button appears in the console to remind you to renew the certificate.

Usage notes

During the renewal process, the following system components are restarted: kube-apiserver, kube-controller-manager, and kube-scheduler. If your business logic is strongly reliant on system components such as kube-apiserver, make sure that your businesses are not interrupted during the renewal before you start. We recommend that you renew certificates during off-peak hours.

It requires about 5 to 10 minutes to complete the renewal process. The actual time cost depends on the number of nodes in the cluster. After the certificate is renewed, its validity period is extended by five years.

Backup

Node type	Backup content
Master	/etc/kubernetes/ /var/lib/kubelet/pki /etc/systemd/system/kubelet.service.d/10-kubeadm.conf /etc/kubeadm/ Business-critical data Note If /var/lib/kubelet/pki is empty or you have no business-critical data, backup is not required.
Worker	/etc/kubernetes/ /etc/systemd/system/kubelet.service.d/10-kubeadm.conf /var/lib/kubelet/pki/* Business-critical data Note If /var/lib/kubelet/pki/* is empty or you have no business-critical data, backup is not required.

Renew certificates

Table 1. Master nodes
Certificate or conf filename	Path	Validity period
apiserver.crt apiserver.key	/etc/kubernetes/pki	The initial validity period is 10 years. The validity period is extended by five years after renewal.
apiserver-kubelet-client.crt apiserver-kubelet-client.key	/etc/kubernetes/pki	The initial validity period is 10 years. The validity period is extended by five years after renewal.
front-proxy-client.crt front-proxy-client.key	/etc/kubernetes/pki	The initial validity period is 10 years. The validity period is extended by five years after renewal.
dashboard.crt dashboard.key	/etc/kubernetes/pki/dashboard	The initial validity period is 10 years. The validity period is extended by five years after renewal.
kubelet.crt kubelet.key Note If the kubelet.key file does not exist, renewal is not required. You can still use the cluster after kubelet.crt and kubelet.key expire.	/var/lib/kubelet/pki Note If this path is empty, renewal is not required.	The initial validity period is 10 years. The validity period is extended by five years after renewal.
admin.conf	/etc/kubernetes	The initial validity period is 10 years. The validity period is extended by five years after renewal.
kube.conf	/etc/kubernetes	The initial validity period is 10 years. The validity period is extended by five years after renewal.
controller-manager.conf	/etc/kubernetes	The initial validity period is 10 years. The validity period is extended by five years after renewal.
scheduler.conf	/etc/kubernetes	The initial validity period is 10 years. The validity period is extended by five years after renewal.
kubelet.conf	/etc/kubernetes	The initial validity period is 10 years. The validity period is extended by five years after renewal.
config	~/.kube/	The initial validity period is 10 years. The validity period is extended by five years after renewal.
kubelet-client-current.pem or kubelet-client.crt kubelet-client.key Note If the kubelet-client.key file does not exist, renewal is not required.	/var/lib/kubelet/pki Note If this path is empty, renewal is not required.	The initial validity period is one year. When the certificate is about to expire, it is automatically renewed and the validity period is extended by one year.

Table 2. Worker nodes
Certificate or conf filename	Path	Validity period
kubelet.crt kubelet.key Note If the kubelet.key file does not exist, renewal is not required. You can still use the cluster after kubelet.crt and kubelet.key expire.	/var/lib/kubelet/pki Note If this path is empty, renewal is not required.	The initial validity period is 10 years. The validity period is extended by five years after renewal.
kubelet-client-current.pem or kubelet-client.crt kubelet-client.key Note If the kubelet-client.key file does not exist, renewal is not required.	/var/lib/kubelet/pki Note If this path is empty, renewal is not required.	The initial validity period is one year. When the certificate is about to expire, it is automatically renewed and the validity period is extended by one year.
kubelet.conf	/etc/kubernetes	The initial validity period is 10 years. The validity period is extended by five years after renewal.

References

You can use the console or CLI to renew certificates that are about to expire or have expired in an ACK dedicated cluster. For more information, see Renew expiring Kubernetes cluster certificates and Update expired certificates of a Kubernetes cluster.
Renew etcd certificates that are about to expire in an ACK dedicated cluster at the earliest opportunity. For more information, see Renew etcd certificates in an ACK dedicated cluster.