Maintenance and update on ClientCA certificate for API server of ACK dedicated cluster

Change schedule

The update starts at 00:00:00 (UTC+8) on July 15, 2024 and will be completed by 00:00:00 (UTC+8) on September 1, 2024.

Change details

During the update, the ACK control plane uses the CloudOps Orchestration Service (OOS) of Alibaba Cloud to automate maintenance tasks. It automatically updates the CA certificate in the /etc/kubernetes/pki/apiserver-ca.crt file on all master nodes of ACK dedicated clusters. The apiserver-ca.crt file is referenced by the client-ca-file parameter of the cluster API server. This file is used by the ACK control plane for TLS authentication to access the cluster API server.

The updated apiserver-ca.crt will have a longer expiration time to ensure the security and stability of the Alibaba Cloud control request chain to the cluster API server.

Scope of impact

This change only targets the ACK dedicated cluster. Other cluster types are not affected. During the maintenance period, take note of the following impacts:

• The OOS task executed by the ACK control plane updates only the ClientCA certificates of the cluster API server. It also collects the expiration time of the current certificate for more accurate rotation notifications in the future. This process does not interrupt your services deployed in the cluster, nor does it restart the cluster API server.

• The ACK control plane collects only the expiration times of the following certificate public keys and does not collect any other control plane or application information.

  Name	Path

  Name	Path
  Cluster API server expiration time	/etc/kubernetes/pki/apiserver.crt
  Cluster CA expiration time	/etc/kubernetes/pki/ca.crt
  Cluster etcd server CA expiration time	/var/lib/etcd/cert/ca.pem

Contact us

If you have any problems or suggestions, submit a ticket or join the DingTalk group to contact us.