Expired Kubernetes Certificates

by
Tags: certificate kubeadm kube-apiserver restarting docker
Categories: kubernetes

I recently had an issue with my kube-apiserver restarting all the time, which meant I couldn’t use kubectl. My issue was related to expired certificates, which explains why my issue happened out of the blue.. It turns out the certificates has a 1 year validation period. This shouldn’t be an issue since you’re expected to upgrade your cluster every now and then. This is however not the case for me because my deployed software needs a specific version of kubernetes and docker with helm2 so I’m not able to update my cluster until my software vendor supports a newer kubernetes version.

Check your certificate expiration

kubeadm alpha certs check-expiration # Old versions of kubeadm
kubeadm certs check-expiration # Newer versions of kubeadm
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jan 02, 2024 00:31 UTC   362d                                    no      
apiserver                  Jan 02, 2024 00:31 UTC   362d            ca                      no      
apiserver-etcd-client      Jan 02, 2024 00:31 UTC   362d            etcd-ca                 no      
apiserver-kubelet-client   Jan 02, 2024 00:31 UTC   362d            ca                      no      
controller-manager.conf    Jan 02, 2024 00:31 UTC   362d                                    no      
etcd-healthcheck-client    Jan 02, 2024 00:31 UTC   362d            etcd-ca                 no      
etcd-peer                  Jan 02, 2024 00:31 UTC   362d            etcd-ca                 no      
etcd-server                Jan 02, 2024 00:31 UTC   362d            etcd-ca                 no      
front-proxy-client         Jan 02, 2024 00:31 UTC   362d            front-proxy-ca          no      
scheduler.conf             Jan 02, 2024 00:31 UTC   362d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 20, 2031 09:22 UTC   8y              no      
etcd-ca                 Dec 20, 2031 09:22 UTC   8y              no      
front-proxy-ca          Dec 20, 2031 09:22 UTC   8y              no

Renew your certificates

Use the following command to renew the certificates. This has to be done on all master nodes in your cluster. Wait a few minutes after the certificates has been renewed

kubeadm alpha certs renew all
kubeadm certs renew all         <--- Newer versions of kubeadm

Update your config file so kubectl can connect using the new certificates

sudo cp /etc/kubernetes/admin.conf ~/.kube/config
sudo chown $(id -u):$(id -g) ~/.kube/config