When certificates on cluster nodes expire, kubectl commands fail and API operations return errors — communication with the API server is blocked. Expired certificates cannot be renewed through template-based deployment. To renew them, log on to each node and run the docker run command.
Prerequisites
Before you begin, ensure that you have:
Root user access to each master node and worker node in the cluster
Renew master node certificates
Log on to a master node as the root user and run:
docker run -it --privileged=true -v /:/alicoud-k8s-host --pid host --net host \
registry.cn-hangzhou.aliyuncs.com/acs/cert-rotate:v1.0.0 /renew/upgrade-k8s.sh --role masterRepeat on each master node in the cluster.
Renew worker node certificates
Worker node renewal requires the root CA private key from a master node. Complete the following steps for each worker node.
Log on to a master node as the root user and get the root CA private key:
cat /etc/kubernetes/pki/ca.keyEncode the root CA private key in Base64. Run one of the following commands based on whether the key contains a blank line:
If the key contains a blank line:
sed '1d' /etc/kubernetes/pki/ca.key | base64 -w 0If the key does not contain a blank line:
cat /etc/kubernetes/pki/ca.key | base64 -w 0
Copy the output. This is the value of
${base64CAKey}in the next step.Log on to the worker node as the root user and run:
docker run -it --privileged=true -v /:/alicoud-k8s-host --pid host --net host \ registry.cn-hangzhou.aliyuncs.com/acs/cert-rotate:v1.0.0 /renew/upgrade-k8s.sh --role node --rootkey ${base64CAKey}Replace
${base64CAKey}with the Base64-encoded root CA private key from step 2.
Repeat steps 1–3 for each worker node in the cluster.