Certificates secure communication between nodes in an ACK dedicated cluster. Renew certificates on both master and worker nodes — including the API server certificate and the kubelet certificate — before they expire to avoid cluster communication failures.
About two months before a certificate expires, a red button appears in the ACK console to remind you to start the renewal process.
Before you begin
Before you begin, ensure that you have:
Access to an ACK dedicated cluster
SSH access to master and worker nodes for backup
Usage notes
During renewal, the following control plane components restart: kube-apiserver, kube-controller-manager, and kube-scheduler. If your workloads depend directly on these components, verify that the interruption is acceptable before you start.
Schedule renewals during off-peak hours. The process takes 5–10 minutes, depending on the number of nodes. After renewal, each certificate's validity period is extended by five years.
Back up nodes before renewing
Back up the following paths on each node type before starting.
Master nodes
/etc/kubernetes//var/lib/kubelet/pki/etc/systemd/system/kubelet.service.d/10-kubeadm.conf/etc/kubeadm/Business-critical data
If /var/lib/kubelet/pki is empty or you have no business-critical data, backup is not required.
Worker nodes
/etc/kubernetes//etc/systemd/system/kubelet.service.d/10-kubeadm.conf/var/lib/kubelet/pki/*Business-critical data
If /var/lib/kubelet/pki/* is empty or you have no business-critical data, backup is not required.
Certificate reference
Use the tables below to identify which certificates to renew on each node type. Most certificates have an initial validity period of 10 years and are extended by five years after each manual renewal. The exception is kubelet-client-current.pem (or kubelet-client.crt), which has a one-year validity period and is renewed automatically when it approaches expiration.
Master node certificates
| Certificate or conf file | Path | Initial validity | After renewal | Notes |
|---|---|---|---|---|
apiserver.crt / apiserver.key | /etc/kubernetes/pki | 10 years | +5 years | |
apiserver-kubelet-client.crt / apiserver-kubelet-client.key | /etc/kubernetes/pki | 10 years | +5 years | |
front-proxy-client.crt / front-proxy-client.key | /etc/kubernetes/pki | 10 years | +5 years | |
dashboard.crt / dashboard.key | /etc/kubernetes/pki/dashboard | 10 years | +5 years | |
kubelet.crt / kubelet.key | /var/lib/kubelet/pki | 10 years | +5 years | If kubelet.key does not exist, renewal is not required. The cluster remains usable even if these certificates expire. If this path is empty, renewal is not required. |
admin.conf | /etc/kubernetes | 10 years | +5 years | |
kube.conf | /etc/kubernetes | 10 years | +5 years | |
controller-manager.conf | /etc/kubernetes | 10 years | +5 years | |
scheduler.conf | /etc/kubernetes | 10 years | +5 years | |
kubelet.conf | /etc/kubernetes | 10 years | +5 years | |
config | ~/.kube/ | 10 years | +5 years | |
kubelet-client-current.pem or kubelet-client.crt / kubelet-client.key | /var/lib/kubelet/pki | 1 year | Auto-renewed (+1 year) | If this path is empty or kubelet-client.key does not exist, renewal is not required. |
Worker node certificates
| Certificate or conf file | Path | Initial validity | After renewal | Notes |
|---|---|---|---|---|
kubelet.crt / kubelet.key | /var/lib/kubelet/pki | 10 years | +5 years | If kubelet.key does not exist, renewal is not required. The cluster remains usable even if these certificates expire. If this path is empty, renewal is not required. |
kubelet-client-current.pem or kubelet-client.crt / kubelet-client.key | /var/lib/kubelet/pki | 1 year | Auto-renewed (+1 year) | If this path is empty or kubelet-client.key does not exist, renewal is not required. |
kubelet.conf | /etc/kubernetes | 10 years | +5 years |
What's next
Use the console to renew expiring certificates in ACK dedicated clusters, or use the CLI to update expired certificates for an ACK dedicated cluster.
Renew etcd certificates in an ACK dedicated cluster as soon as they approach expiration.