Managing Certificates
Check Certificate Expiration
You can use the crit certs list
command to check when certificates expire:
$ crit certs list
Certificate Authorities:
========================
Name CN Expires NotAfter
ca kubernetes 9y 2030-09-27T01:45:12Z
front-proxy-ca front-proxy-ca 9y 2030-09-27T16:36:08Z
Certificates:
=============
Name CN Expires NotAfter
apiserver kube-apiserver 364d 2021-09-29T23:54:16Z
apiserver-kubelet-client kube-apiserver-kubelet-client 364d 2021-09-29T23:54:16Z
apiserver-healthcheck-client system:basic-info-viewer 364d 2021-09-29T23:54:16Z
front-proxy-client front-proxy-client 364d 2021-09-29T23:54:17Z
Rotating Certificates
There are several different solutions pertaining to certificate rotation. The appropriate solution greatly depends on an organization's use case. Some things to consider:
- Does certificate rotation need to intergrate with an organization's existing certificate infrastructure?
- Can certificate approval and signing be automated, or does it require a cluster administrator?
- How often do certificates need to be rotated?
- How many clusters need to be supported?
Rotating with Crit
Certificates can be renewed with crit certs renew
. Note, this does not renew the CA.
Rotating with the Kubernetes certificates API
Kubernetes provides a Certificate API that can be used to provision certificates using certificate signing requests.
Kubelet Certificate
The kubelet certificate can be automatically renewed using the kubernetes api.
Advanced Certificate Rotation
Organizations that require an automated certificate rotation solution that integrates with existing certificate infrastructure should consider projects like cert-manager.