Skip to main content
Kubernetes certificates secure communication between cluster components. Monitor expiration dates and renew certificates before they expire to prevent service disruptions.

Key Concepts

Certificate

SSL/TLS certificate used by Kubernetes components for secure communication.

Certificate Authority

The CA that signs cluster certificates (ca, etcd-ca, front-proxy-ca).

Renewal

Process of regenerating certificates before expiration.

Expiry

Default Kubernetes certificates expire after 1 year.

Required Permissions

ActionPermission
View certificatesiam:project:infrastructure:kubernetes:read
Renew certificatesiam:project:infrastructure:kubernetes:write

Certificate Status Levels

StatusThresholdAction Required
Valid> 30 daysMonitor regularly
Expiring Soon8-30 daysPlan renewal
Critical1-7 daysRenew immediately
Expired< 0 daysRenew urgently - cluster may be impacted

How to Check Certificate Status

1

Select Cluster

Choose a cluster from the dropdown.
2

View Status

The certificate status page shows overall health and individual certificate details.
3

Review Expiring Certificates

Focus on certificates in Critical or Expiring Soon status.

How to Renew Certificates

1

Select Cluster

Choose the cluster with expiring certificates.
2

Click Renew All

Click Renew All to regenerate all cluster certificates.
3

Confirm

Confirm the renewal operation.
4

Monitor

Wait for the operation to complete. Components will restart with new certificates.
Certificate renewal may cause brief disruption while components restart. Plan renewals during maintenance windows for production clusters.

Common Kubernetes Certificates

CertificatePurpose
apiserverSecures API server connections
apiserver-kubelet-clientAPI server to kubelet communication
apiserver-etcd-clientAPI server to etcd communication
etcd-serveretcd server certificate
etcd-peeretcd cluster member communication
front-proxy-clientFront proxy client certificate
admin.confAdmin kubeconfig certificate

Troubleshooting

  • Run Renew All immediately
  • If cluster is inaccessible, manually renew via SSH on master nodes
  • Check kubelet and API server logs after renewal
  • Verify SSH connectivity to master nodes
  • Ensure kubeadm is available on nodes
  • Check sufficient disk space
  • Review operation logs for specific errors
  • Components may need time to restart
  • Verify API server is accessible
  • Check kubelet status on all nodes
  • Kubeconfig files may need updating
  • Verify cluster is in Ready state
  • Check you have read permission
  • Ensure at least one master node is accessible

FAQ

Check monthly. Set up monitoring to alert when certificates enter the 30-day warning threshold.
The platform renews all certificates together. Use kubeadm directly on nodes for individual certificate renewal.
Renewed certificates are valid for 1 year from the renewal date.
Brief disruption is possible while components restart. High-availability clusters with multiple masters experience minimal impact.
CA certificates have longer validity (typically 10 years). They are not renewed with regular certificate renewal and require special handling.