All Products
Search
Document Center

Container Service for Kubernetes:Renew the certificates in an ACK dedicated cluster

Last Updated:Apr 07, 2024

To ensure the security of communication between nodes, you need to periodically check and renew the certificates of the master and worker nodes in a cluster, including the API server certificate and kubelet certificate. About two months before a certificate in an ACK dedicated cluster expires, a red button appears in the console to remind you to renew the certificate.

Usage notes

During the renewal process, the following system components are restarted: kube-apiserver, kube-controller-manager, and kube-scheduler. If your business logic is strongly reliant on system components such as kube-apiserver, make sure that your businesses are not interrupted during the renewal before you start. We recommend that you renew certificates during off-peak hours.

It requires about 5 to 10 minutes to complete the renewal process. The actual time cost depends on the number of nodes in the cluster. After the certificate is renewed, its validity period is extended by five years.

Backup

Node type

Backup content

Master

  • /etc/kubernetes/

  • /var/lib/kubelet/pki

  • /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

  • /etc/kubeadm/

  • Business-critical data

Note

If /var/lib/kubelet/pki is empty or you have no business-critical data, backup is not required.

Worker

  • /etc/kubernetes/

  • /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

  • /var/lib/kubelet/pki/*

  • Business-critical data

Note

If /var/lib/kubelet/pki/* is empty or you have no business-critical data, backup is not required.

Renew certificates

Table 1. Master nodes

Certificate or conf filename

Path

Validity period

  • apiserver.crt

  • apiserver.key

/etc/kubernetes/pki

The initial validity period is 10 years. The validity period is extended by five years after renewal.

  • apiserver-kubelet-client.crt

  • apiserver-kubelet-client.key

/etc/kubernetes/pki

The initial validity period is 10 years. The validity period is extended by five years after renewal.

  • front-proxy-client.crt

  • front-proxy-client.key

/etc/kubernetes/pki

The initial validity period is 10 years. The validity period is extended by five years after renewal.

  • dashboard.crt

  • dashboard.key

/etc/kubernetes/pki/dashboard

The initial validity period is 10 years. The validity period is extended by five years after renewal.

  • kubelet.crt

  • kubelet.key

Note
  • If the kubelet.key file does not exist, renewal is not required.

  • You can still use the cluster after kubelet.crt and kubelet.key expire.

/var/lib/kubelet/pki

Note

If this path is empty, renewal is not required.

The initial validity period is 10 years. The validity period is extended by five years after renewal.

admin.conf

/etc/kubernetes

The initial validity period is 10 years. The validity period is extended by five years after renewal.

kube.conf

/etc/kubernetes

The initial validity period is 10 years. The validity period is extended by five years after renewal.

controller-manager.conf

/etc/kubernetes

The initial validity period is 10 years. The validity period is extended by five years after renewal.

scheduler.conf

/etc/kubernetes

The initial validity period is 10 years. The validity period is extended by five years after renewal.

kubelet.conf

/etc/kubernetes

The initial validity period is 10 years. The validity period is extended by five years after renewal.

config

~/.kube/

The initial validity period is 10 years. The validity period is extended by five years after renewal.

  • kubelet-client-current.pem or kubelet-client.crt

  • kubelet-client.key

Note

If the kubelet-client.key file does not exist, renewal is not required.

/var/lib/kubelet/pki

Note

If this path is empty, renewal is not required.

The initial validity period is one year. When the certificate is about to expire, it is automatically renewed and the validity period is extended by one year.

Table 2. Worker nodes

Certificate or conf filename

Path

Validity period

  • kubelet.crt

  • kubelet.key

Note
  • If the kubelet.key file does not exist, renewal is not required.

  • You can still use the cluster after kubelet.crt and kubelet.key expire.

/var/lib/kubelet/pki

Note

If this path is empty, renewal is not required.

The initial validity period is 10 years. The validity period is extended by five years after renewal.

  • kubelet-client-current.pem or kubelet-client.crt

  • kubelet-client.key

Note

If the kubelet-client.key file does not exist, renewal is not required.

/var/lib/kubelet/pki

Note

If this path is empty, renewal is not required.

The initial validity period is one year. When the certificate is about to expire, it is automatically renewed and the validity period is extended by one year.

kubelet.conf

/etc/kubernetes

The initial validity period is 10 years. The validity period is extended by five years after renewal.

References