Skip to content

Certificate management with kubeadm

The official doc of the certificate management for v1.30 can be found here

Default behavior

If you are doing nothing special before running kubeadm init in the master, all the certificates needed for a cluster to run are generated by kubeadm. The generated certificates and private keys are located in folder /etc/kubernetes/pki/.

Use custom certificates

You can also generate all the required certificates in a specific folder and tell kubeadm to use this folder as the certificate root dir.

The cert directory path can be specified by the --cert-dir flag or the certificatesDir field of kubeadm's ClusterConfiguration. The default value is /etc/kubernetes/pki/.

The simplest way is to put your root CA certificate and private key in /etc/kubernetes/pki/ before calling kubeadm init. After calling kubeadm init, all the required certificate will be signed by this CA.

# copy the ca cert and private key
cp ca.crt /etc/kubernetes/pki/ca.crt
cp ca.key /etc/kubernetes/pki/ca.key

# run the kubeadm init

Renew certificates of an existing cluster

# step0: view the validity of the current certificates
sudo kubeadm certs check-expiration

# step1: backup existing certificates
sudo cp -r /etc/kubernetes/pki /etc/kubernetes/pki-backup

# step2: copy your root ca certificate and private key to the below file
sudo vim /etc/kubernetes/pki/ca.crt  
sudo vim /etc/kubernetes/pki/ca.key

# step3: CALL the renew command to renew the certificates for all services
sudo kubeadm certs renew all

Manage certificate with kubeadm (post installation)

https://v1-30.docs.kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/

best practices

https://v1-30.docs.kubernetes.io/docs/setup/best-practices/certificates/