|
| 1 | +--- |
| 2 | +approvers: |
| 3 | +- jcbsmpsn |
| 4 | +- mikedanese |
| 5 | +title: Certificate Rotation |
| 6 | +--- |
| 7 | + |
| 8 | +{% capture overview %} |
| 9 | +This page shows how to enable and configure certificate rotation for the kubelet. |
| 10 | +{% endcapture %} |
| 11 | + |
| 12 | +{% capture prerequisites %} |
| 13 | + |
| 14 | +* Kubernetes version 1.8.0 or later is required |
| 15 | + |
| 16 | +* Kubelet certificate rotation is beta in 1.8.0 which means it may change without notice. |
| 17 | + |
| 18 | +{% endcapture %} |
| 19 | + |
| 20 | +{% capture steps %} |
| 21 | + |
| 22 | +## Overview |
| 23 | + |
| 24 | +The kubelet uses certificates for authenticating to the Kubernetes API. By |
| 25 | +default, these certificates are issued with one year expiration so that they do |
| 26 | +not need to be renewed too frequently. |
| 27 | + |
| 28 | +Kubernetes 1.8 contains [kubelet certificate |
| 29 | +rotation](/docs/tasks/administer-cluster/certificate-rotation/), a beta feature |
| 30 | +that will automatically generate a new key and request a new certificate from |
| 31 | +the Kubernetes API as the current certificate approaches expiration. Once the |
| 32 | +new certificate is available, it will be used for authenticating connections to |
| 33 | +the Kubernetes API. |
| 34 | + |
| 35 | +## Configuration and determining whether certificate rotation is already enabled |
| 36 | + |
| 37 | +The `kubelet` process accepts an argument `--rotate-certificates` that controls |
| 38 | +if the kubelet will automatically request a new certificate as the expiration of |
| 39 | +the certificate currently in use approaches. Since certificate rotation is a |
| 40 | +beta feature, the feature flag must also be enabled with |
| 41 | +`--feature-gates=RotateKubeletClientCertificate=true`. |
| 42 | + |
| 43 | + |
| 44 | +The `kube-controller-manager` process accepts an argument |
| 45 | +`--experimental-cluster-signing-duration` that controls how long certificates |
| 46 | +will be issued for. |
| 47 | + |
| 48 | +## Understanding the certificate rotation configuration |
| 49 | + |
| 50 | +When a kubelet starts up, if it is configured to bootstrap (using the |
| 51 | +`--bootstrap-kubeconfig` flag), it will use its initial certificate to connect |
| 52 | +to the Kubernetes API and issue a certificate signing request. You can view the |
| 53 | +status of certificate signing requests using: |
| 54 | + |
| 55 | +```sh |
| 56 | +kubectl get csr |
| 57 | +``` |
| 58 | + |
| 59 | +Initially a certificate signing request from the kubelet on a node will have a |
| 60 | +status of `Pending`. If the certificate signing requests meets specific |
| 61 | +criteria, it will be auto approved by the controller manager, then it will have |
| 62 | +a status of `Approved`. Next, the controller manager will sign a certificate, |
| 63 | +issued for the duration specified by the |
| 64 | +`--experimental-cluster-signing-duration` parameter, and the signed certificate |
| 65 | +will be attached to the certificate signing requests. |
| 66 | + |
| 67 | +The kubelet will retrieve the signed certificate from the Kubernetes API and |
| 68 | +write that to disk, in the location specified by `--cert-dir`. Then the kubelet |
| 69 | +will restart itself and use the new certificate to connect to the Kubernetes |
| 70 | +API. |
| 71 | + |
| 72 | +As the expiration of the signed certificate approaches, the kubelet will |
| 73 | +automatically issue a new certificate signing request, using the Kubernetes |
| 74 | +API. Again, the controller manager will automatically approve the certificate |
| 75 | +request and attach a signed certificate to the certificate signing request. The |
| 76 | +kubelet will retrieve the new signed certificate from the Kubernetes API and |
| 77 | +write that to disk. Then it will update the connections it has to the |
| 78 | +Kubernetes API to reconnect using the new certificate. |
| 79 | + |
| 80 | +{% endcapture %} |
| 81 | + |
| 82 | +{% include templates/task.md %} |
0 commit comments