Renew the certificates in an ACK dedicated cluster

0.0.201

To ensure the security of communication between nodes, you must periodically check and renew the certificates of the master and worker nodes in a cluster, including the API server certificate and kubelet certificate. About two months before a certificate in an ACK dedicated cluster expires, a red button appears in the console to remind you to renew the certificate.

Usage notes

During the renewal process, the following system components are restarted: kube-apiserver, kube-controller-manager, and kube-scheduler. If your business logic is strongly reliant on these system components, make sure that your businesses will not be interrupted before you start. We recommend that you renew certificates during off-peak hours.

It requires about 5 to 10 minutes to complete the renewal process. The actual time cost depends on the number of nodes in the cluster. After the certificate is renewed, its validity period is extended by five years.

Backup

Node type	Backup content

Node type	Backup content
Master	/etc/kubernetes/ /var/lib/kubelet/pki /etc/systemd/system/kubelet.service.d/10-kubeadm.conf /etc/kubeadm/ Business-critical data Note If /var/lib/kubelet/pki is empty or you have no business-critical data, backup is not required.
Worker	/etc/kubernetes/ /etc/systemd/system/kubelet.service.d/10-kubeadm.conf /var/lib/kubelet/pki/* Business-critical data Note If /var/lib/kubelet/pki/* is empty or you have no business-critical data, backup is not required.

Renew certificates

Table 1. Master nodes

Certificate or conf filename	Path	Validity period
apiserver.crt apiserver.key	/etc/kubernetes/pki	The initial validity period is 10 years. The validity period is extended by five years after renewal.
apiserver-kubelet-client.crt apiserver-kubelet-client.key	/etc/kubernetes/pki	The initial validity period is 10 years. The validity period is extended by five years after renewal.
front-proxy-client.crt front-proxy-client.key	/etc/kubernetes/pki	The initial validity period is 10 years. The validity period is extended by five years after renewal.
dashboard.crt dashboard.key	/etc/kubernetes/pki/dashboard	The initial validity period is 10 years. The validity period is extended by five years after renewal.
kubelet.crt kubelet.key Note If the kubelet.key file does not exist, renewal is not required. You can still use the cluster after kubelet.crt and kubelet.key expire.	/var/lib/kubelet/pki Note If this path is empty, renewal is not required.	The initial validity period is 10 years. The validity period is extended by five years after renewal.
admin.conf	/etc/kubernetes	The initial validity period is 10 years. The validity period is extended by five years after renewal.
kube.conf	/etc/kubernetes	The initial validity period is 10 years. The validity period is extended by five years after renewal.
controller-manager.conf	/etc/kubernetes	The initial validity period is 10 years. The validity period is extended by five years after renewal.
scheduler.conf	/etc/kubernetes	The initial validity period is 10 years. The validity period is extended by five years after renewal.
kubelet.conf	/etc/kubernetes	The initial validity period is 10 years. The validity period is extended by five years after renewal.
config	~/.kube/	The initial validity period is 10 years. The validity period is extended by five years after renewal.
kubelet-client-current.pem or kubelet-client.crt kubelet-client.key Note If the kubelet-client.key file does not exist, renewal is not required.	/var/lib/kubelet/pki Note If this path is empty, renewal is not required.	The initial validity period is one year. When the certificate is about to expire, it is automatically renewed and the validity period is extended by one year.

Table 2. Worker nodes

Certificate or conf filename	Path	Validity period
kubelet.crt kubelet.key Note If the kubelet.key file does not exist, renewal is not required. You can still use the cluster after kubelet.crt and kubelet.key expire.	/var/lib/kubelet/pki Note If this path is empty, renewal is not required.	The initial validity period is 10 years. The validity period is extended by five years after renewal.
kubelet-client-current.pem or kubelet-client.crt kubelet-client.key Note If the kubelet-client.key file does not exist, renewal is not required.	/var/lib/kubelet/pki Note If this path is empty, renewal is not required.	The initial validity period is one year. When the certificate is about to expire, it is automatically renewed and the validity period is extended by one year.
kubelet.conf	/etc/kubernetes	The initial validity period is 10 years. The validity period is extended by five years after renewal.

References

You can use the console or CLI to renew certificates that are about to expire or have expired in an ACK dedicated cluster. For more information, see Renew expiring certificates in ACK dedicated clusters and Update expired certificates for an ACK dedicated cluster.
Renew etcd certificates in an ACK dedicated cluster that are about to expire as soon as possible.

Feedback

Previous: Certificate management for ACK dedicated clustersNext: Renew expiring certificates in ACK dedicated clusters

On this page （1）

Usage notes

Backup

Renew certificates

References

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

Usage notes

Backup

Renew certificates

References

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Lingma

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)