Renewing Kubernetes cluster certificates

The Kubernetes cluster certificates have a lifespan of one year. If the Kubernetes cluster certificate expires on the Kubernetes master, then the kubelet service will fail. Issuing a kubectl command, such as kubectl get pods or kubectl exec -it container_name bash, will result in a message similar to Unable to connect to the server: x509: certificate has expired or is not yet valid.

1. Log on to the Kubernetes master node as the root user and run the following command to check when the Kubernetes certificates will expire.

   kubeadm alpha certs check-expiration

   The output will be similar to the following. In this case the certificates will expire in 273 days.

   CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
   admin.conf                 Sep 17, 2020 21:24 UTC   273d            no
   apiserver                  Sep 17, 2020 21:24 UTC   273d            no
   apiserver-etcd-client      Sep 17, 2020 21:24 UTC   273d            no
   apiserver-kubelet-client   Sep 17, 2020 21:24 UTC   273d            no
   controller-manager.conf    Sep 17, 2020 21:24 UTC   273d            no
   etcd-healthcheck-client    Sep 17, 2020 21:24 UTC   273d            no
   etcd-peer                  Sep 17, 2020 21:24 UTC   273d            no
   etcd-server                Sep 17, 2020 21:24 UTC   273d            no
   front-proxy-client         Sep 17, 2020 21:24 UTC   273d            no
   scheduler.conf             Sep 17, 2020 21:24 UTC   273d            no

2. Run the following commands to back up the existing Kubernetes certificates:

   mkdir -p $HOME/fcik8s-old-certs/pki
   /bin/cp -p /etc/kubernetes/pki/*.* $HOME/fcik8s-old-certs/pki
   ls -l $HOME/fcik8s-old-certs/pki/

   The output will be similar to the following:

   total 56
   -rw-r--r-- 1 root root 1261 Sep  4  2019 apiserver.crt
   -rw-r--r-- 1 root root 1090 Sep  4  2019 apiserver-etcd-client.crt
   -rw------- 1 root root 1679 Sep  4  2019 apiserver-etcd-client.key
   -rw------- 1 root root 1679 Sep  4  2019 apiserver.key
   -rw-r--r-- 1 root root 1099 Sep  4  2019 apiserver-kubelet-client.crt
   -rw------- 1 root root 1679 Sep  4  2019 apiserver-kubelet-client.key
   -rw-r--r-- 1 root root 1025 Sep  4  2019 ca.crt
   -rw------- 1 root root 1675 Sep  4  2019 ca.key
   -rw-r--r-- 1 root root 1038 Sep  4  2019 front-proxy-ca.crt
   -rw------- 1 root root 1675 Sep  4  2019 front-proxy-ca.key
   -rw-r--r-- 1 root root 1058 Sep  4  2019 front-proxy-client.crt
   -rw------- 1 root root 1679 Sep  4  2019 front-proxy-client.key
   -rw------- 1 root root 1675 Sep  4  2019 sa.key
   -rw------- 1 root root  451 Sep  4  2019 sa.pub

3. Run the following commands to back up the existing configurtion files:

   /bin/cp -p /etc/kubernetes/*.conf $HOME/fcik8s-old-certs
   ls -ltr $HOME/fcik8s-old-certs

   The output will be similar to the following:

   total 36
   -rw------- 1 root root 5451 Sep  4  2019 admin.conf
   -rw------- 1 root root 5595 Sep  4  2019 kubelet.conf
   -rw------- 1 root root 5483 Sep  4  2019 controller-manager.conf
   -rw------- 1 root root 5435 Sep  4  2019 scheduler.conf
   drwxr-xr-x 2 root root 4096 Dec 19 21:21 pki

4. Run the following commands to back up your home configuration:

   mkdir -p $HOME/fcik8s-old-certs/.kube
   /bin/cp -p ~/.kube/config $HOME/fcik8s-old-certs/.kube/.
   ls -l $HOME/fcik8s-old-certs/.kube/.

   The output will be similar to the following:

   -rw------- 1 root root 5451 Sep  4  2019 config

5. Run the following command to renew all the Kubernetes certificates:

   kubeadm alpha certs renew all

   The output of the command will be similar to the following:

   certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
   certificate for serving the Kubernetes API renewed
   certificate the apiserver uses to access etcd renewed
   certificate for the API server to connect to kubelet renewed
   certificate embedded in the kubeconfig file for the controller manager to use renewed
   certificate for liveness probes to healtcheck etcd renewed
   certificate for etcd nodes to communicate with each other renewed
   certificate for serving etcd renewed
   certificate for the front proxy client renewed
   certificate embedded in the kubeconfig file for the scheduler manager to use renewed

6. Run the following command to confirm the certificates have been renewed and will expire in 364 days:

   kubeadm alpha certs check-expiration

   The output should look similar to the following:

   CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
   admin.conf                 Dec 20, 2021 02:35 UTC   364d            no      
   apiserver                  Dec 20, 2021 02:35 UTC   364d            no      
   apiserver-etcd-client      Dec 20, 2021 02:35 UTC   364d            no      
   apiserver-kubelet-client   Dec 20, 2021 02:35 UTC   364d            no      
   controller-manager.conf    Dec 20, 2021 02:35 UTC   364d            no      
   etcd-healthcheck-client    Dec 20, 2021 02:35 UTC   364d            no      
   etcd-peer                  Dec 20, 2021 02:35 UTC   364d            no      
   etcd-server                Dec 20, 2021 02:35 UTC   364d            no      
   front-proxy-client         Dec 20, 2021 02:35 UTC   364d            no      
   scheduler.conf             Dec 20, 2021 02:35 UTC   364d            no

7. Confirm the kubelet services are running and communication between the worker nodes and the Kubernetes master is working.
8. After waiting a few minutes, run the following command from the Kubernetes master node to confirm that the worker nodes are available:

   kubectl get nodes

   If you get a response similar to the following:

   The connection to the server 9.37.21.119:6443 was refused - did you specify the right host or port?
   

   continue with the next steps to resolve the issue. Otherwise, your Kubernetes cluster certificates have been successfully renewed.
9. Run the following command:

   diff $HOME/fcik8s-old-certs/kubelet.conf /etc/kubernetes/kubelet.conf

   If there is no output, the kubelet.conf file was not updated with the new certificate information.
10. Update the /etc/kubernetes/kubelet.conf file and display the difference from the old version to the new one:

    cd /etc/kubernetes
    sudo kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > kubelet.conf
    diff $HOME/fcik8s-old-certs/kubelet.conf /etc/kubernetes/kubelet.conf

    If the output shows a difference, the file kubelet.conf was updated with the new certificate information.
11. Run the following command:

    diff ~/.kube/config $HOME/fcik8s-old-certs/.kube/config

    If there is no output, the config file still has the outdated keys and certificate values in it.
12. Update client-certificate-data and client-key-data in ~/.kube/config with the values from the updated file in /etc/kubernetes/kubelet.conf:

    • cat /etc/kubernetes/kubelet.conf

      Select and copy the output after client-key-data:.

    • In the ~/.kube/config file, replace the information after client-key-data: with the text copied in the previous step.

    • cat /etc/kubernetes/kubelet.conf

      Select and copy the output after client-certificate-data:.

    • In the ~/.kube/config file, replace the information after client-certificate-data: with the text copied in the previous step.
13. Restart the kubelet service:

    systemctl daemon-reload&&systemctl restart kubelet

    This command is successful if there is no output.
14. Verify master and worker nodes are available:

    kubectl get nodes

15. Verify all pods are in the running state:

    kubectl get pods