Renew the certificates in an ACK dedicated cluster - Container Service for Kubernetes

To ensure the security of communication between nodes, you must periodically check and renew the certificates of the master and worker nodes in a cluster, including the API server certificate and kubelet certificate. About two months before a certificate in an ACK dedicated cluster expires, a red button appears in the console to remind you to renew the certificate.

Usage notes

During the renewal process, the following system components are restarted: kube-apiserver, kube-controller-manager, and kube-scheduler. If your business logic is strongly reliant on these system components, make sure that your businesses will not be interrupted before you start. We recommend that you renew certificates during off-peak hours.

It requires about 5 to 10 minutes to complete the renewal process. The actual time cost depends on the number of nodes in the cluster. After the certificate is renewed, its validity period is extended by five years.

Backup

Node type	Backup content
Master	/etc/kubernetes/ /var/lib/kubelet/pki /etc/systemd/system/kubelet.service.d/10-kubeadm.conf /etc/kubeadm/ Business-critical data Note If /var/lib/kubelet/pki is empty or you have no business-critical data, backup is not required.
Worker	/etc/kubernetes/ /etc/systemd/system/kubelet.service.d/10-kubeadm.conf /var/lib/kubelet/pki/* Business-critical data Note If /var/lib/kubelet/pki/* is empty or you have no business-critical data, backup is not required.

Renew certificates

Table 1. Master nodes

Certificate or conf filename	Path	Validity period
apiserver.crt apiserver.key	/etc/kubernetes/pki	The initial validity period is 10 years. The validity period is extended by five years after renewal.
apiserver-kubelet-client.crt apiserver-kubelet-client.key	/etc/kubernetes/pki	The initial validity period is 10 years. The validity period is extended by five years after renewal.
front-proxy-client.crt front-proxy-client.key	/etc/kubernetes/pki	The initial validity period is 10 years. The validity period is extended by five years after renewal.
dashboard.crt dashboard.key	/etc/kubernetes/pki/dashboard	The initial validity period is 10 years. The validity period is extended by five years after renewal.
kubelet.crt kubelet.key Note If the kubelet.key file does not exist, renewal is not required. You can still use the cluster after kubelet.crt and kubelet.key expire.	/var/lib/kubelet/pki Note If this path is empty, renewal is not required.	The initial validity period is 10 years. The validity period is extended by five years after renewal.
admin.conf	/etc/kubernetes	The initial validity period is 10 years. The validity period is extended by five years after renewal.
kube.conf	/etc/kubernetes	The initial validity period is 10 years. The validity period is extended by five years after renewal.
controller-manager.conf	/etc/kubernetes	The initial validity period is 10 years. The validity period is extended by five years after renewal.
scheduler.conf	/etc/kubernetes	The initial validity period is 10 years. The validity period is extended by five years after renewal.
kubelet.conf	/etc/kubernetes	The initial validity period is 10 years. The validity period is extended by five years after renewal.
config	~/.kube/	The initial validity period is 10 years. The validity period is extended by five years after renewal.
kubelet-client-current.pem or kubelet-client.crt kubelet-client.key Note If the kubelet-client.key file does not exist, renewal is not required.	/var/lib/kubelet/pki Note If this path is empty, renewal is not required.	The initial validity period is one year. When the certificate is about to expire, it is automatically renewed and the validity period is extended by one year.

Table 2. Worker nodes

Certificate or conf filename	Path	Validity period
kubelet.crt kubelet.key Note If the kubelet.key file does not exist, renewal is not required. You can still use the cluster after kubelet.crt and kubelet.key expire.	/var/lib/kubelet/pki Note If this path is empty, renewal is not required.	The initial validity period is 10 years. The validity period is extended by five years after renewal.
kubelet-client-current.pem or kubelet-client.crt kubelet-client.key Note If the kubelet-client.key file does not exist, renewal is not required.	/var/lib/kubelet/pki Note If this path is empty, renewal is not required.	The initial validity period is one year. When the certificate is about to expire, it is automatically renewed and the validity period is extended by one year.
kubelet.conf	/etc/kubernetes	The initial validity period is 10 years. The validity period is extended by five years after renewal.

References

You can use the console or CLI to renew certificates that are about to expire or have expired in an ACK dedicated cluster. For more information, see Renew expiring certificates in ACK dedicated clusters and Update expired certificates for an ACK dedicated cluster.
Renew etcd certificates in an ACK dedicated cluster that are about to expire as soon as possible.