Cluster Certificate Renewal (Manual)
When a Kubernetes cluster certificate expires, it leads to errors in kubectl queries due to certificate-related issues. To resolve this issue, specific steps need to be followed. It's important to note that these certificates are node-specific, requiring the execution of the outlined steps on all master nodes of the cluster in a sequential manner.
- Check Cluster kubectl and kubeadm version
$ kubectl version
$ kubeadm version
- Verify certificate validity
$ kubeadm certs check-expiration
- Renew certificates
$ kubeadm certs renew all --config /etc/default/kubeadm.conf
- Check Renewed certificates
$ kubeadm certs check-expiration
- Restart control plane pods
$ mkdir /tmp/controlplane_manifest_backup
$ mv /etc/kubernetes/manifests/* /tmp/controlplane_manifest_backup
- Wait for Pod removal
Wait until api-server, kube-scheduler, kube-controller-manager are removed from master nodes
- Restore manifests
$ mv /tmp/controlplane_manifest_backup/* /etc/kubernetes/manifests/
- Verify Control Plane pods
kubectl get pods -n kube-system
- Update Configuration
$ cp /etc/kubernetes/admin.conf /root/.kube/config