Skip to content

Instantly share code, notes, and snippets.

@eagleusb

eagleusb/kubernetes-tls-rotation.md

Last active February 4, 2019 14:26
Show Gist options
  • Save eagleusb/7825a112a1dfa0889a8c11e6d283ba7f to your computer and use it in GitHub Desktop.
Save eagleusb/7825a112a1dfa0889a8c11e6d283ba7f to your computer and use it in GitHub Desktop.
Download ZIP
Kubernetes TLS certificates renewal
Raw
kubernetes-tls-rotation.md

TLS

Certificates are valid for one year by default (i.e. generated by kubeadm)

The certificates validity periods can be checked with openssl.

For example, connected on one of the masters :

openssl -in /etc/kubernetes/pki/apiserver.crt -noout -text
...
        Validity
            Not Before: Jan 29 13:23:38 2018 GMT
            Not After : Feb  4 13:12:46 2020 GMT

Renewal with kubeadm

Master

cd /etc/kubernetes/pki/
mkdir old && mv apiserver* old/
cd /etc/kubernetes/
mkdir old && mv {admin.conf,controller-manager.conf,kubelet.conf,scheduler.conf} old/
kubeadm alpha phase certs apiserver
kubeadm alpha phase certs apiserver-kubelet-client
kubeadm alpha phase kubeconfig all --apiserver-advertise-address=10.1.1.1

Restart all components, apiserver, controller, scheduler (through docker container restart for example)

Nodes

Generate a bootstrap token in order to re-validate node <> master trust. On one of the master :

kubeadm token create --print-join-command --ttl 1h
kubeadm token list

Type the join command on every nodes.

Final Check

Read your apiserver, controller, scheduler logs and fire your kubectl get __

NB : these steps can be done in production as it doesn't break running workload, however be careful of potential pending clients commands (CI/CD, kubectl apply...)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment