2

How to update k8s certificate:

Some certificates in the k8s cluster are currently expired, prompting:

Unable to connect to the server: x509: certificate has expired or is not yet valid. Take a look at the online cluster master.

The ca.crt and front-proxy-ca.crt are not expired, but the front-proxy-client.crt, apiserver-kubelet-client.crt, and apiserver.crt are expired.

So manually passing the existing ca.key generates the apiserver.crt on the masterRefer to here. However, new errors occurred, suggesting:

the server has asked for the client to provide credentials

What is the way to update the certificate of k8s cluster?

thanks!

Anubhav Gupta
  • 2,492
  • 14
  • 27
zhaoyi
  • 21
  • 1
  • 2

1 Answers1

2

The latest kubeadm should have support for this.

Expected commands:

renew all
renew apiserver
renew apiserver-kubelet-client
renew apiserver-etcd-client
renew front-proxy-client
renew etcd-server
renew etcd-peer
renew etcd-healthcheck-client

You generally have to review all the certs above, you can also renew them manually using openssl or cfssl and using the CA in /etc/kubernetes/pki/ca.pem

Rico
  • 58,485
  • 12
  • 111
  • 141
  • Can I install the latest kubeadm version on the k8s cluster of 1.7.2? – zhaoyi Sep 17 '18 at 03:55
  • I would really start with a new cluster. There's guide to upgrade an existing kubeadm cluster from 1.7.x to 1.8.x [here](https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-8/) but that assumes that you setup your 1.7.2 cluster using kubeadm – Rico Sep 17 '18 at 04:09