You can use the
crit certs list command to check when certificates expire:
$ crit certs list Certificate Authorities: ======================== Name CN Expires NotAfter ca kubernetes 9y 2030-09-27T01:45:12Z front-proxy-ca front-proxy-ca 9y 2030-09-27T16:36:08Z Certificates: ============= Name CN Expires NotAfter apiserver kube-apiserver 364d 2021-09-29T23:54:16Z apiserver-kubelet-client kube-apiserver-kubelet-client 364d 2021-09-29T23:54:16Z apiserver-healthcheck-client system:basic-info-viewer 364d 2021-09-29T23:54:16Z front-proxy-client front-proxy-client 364d 2021-09-29T23:54:17Z
There are several different solutions pertaining to certificate rotation. The appropriate solution greatly depends on an organization's use case. Some things to consider:
- Does certificate rotation need to intergrate with an organization's existing certificate infrastructure?
- Can certificate approval and signing be automated, or does it require a cluster administrator?
- How often do certificates need to be rotated?
- How many clusters need to be supported?
Certificates can be renewed with
crit certs renew. Note, this does not renew the CA.
The kubelet certificate can be automatically renewed using the kubernetes api.
Organizations that require an automated certificate rotation solution that integrates with existing certificate infrastructure should consider projects like cert-manager.