Cluster Certificate Renewal (Manual)

When a Kubernetes cluster certificate expires, it leads to errors in kubectl queries due to certificate-related issues. To resolve this issue, specific steps need to be followed. It's important to note that these certificates are node-specific, requiring the execution of the outlined steps on all master nodes of the cluster in a sequential manner.

  • Check Cluster kubectl and kubeadm version
$ kubectl version
$ kubeadm version
  • Verify certificate validity
$ kubeadm certs check-expiration
  • Renew certificates
$ kubeadm certs renew all --config /etc/default/kubeadm.conf
  • Check Renewed certificates
$ kubeadm certs check-expiration
  • Restart control plane pods
$ mkdir /tmp/controlplane_manifest_backup
$ mv /etc/kubernetes/manifests/* /tmp/controlplane_manifest_backup
  • Wait for Pod removal

Wait until api-server, kube-scheduler, kube-controller-manager are removed from master nodes

  • Restore manifests
$ mv /tmp/controlplane_manifest_backup/* /etc/kubernetes/manifests/
  • Verify Control Plane pods
kubectl get pods -n kube-system
  • Update Configuration
$ cp /etc/kubernetes/admin.conf /root/.kube/config