Edit This Page

Certificate Management with kubeadm

This page explains how to manage certificates manually with kubeadm.

Before you begin

These are advanced topics for users who need to integrate their organization’s certificate infrastructure into a kubeadm-built cluster. If kubeadm with the default configuration satisfies your needs, you should let kubeadm manage certificates instead.

You should be familiar with PKI certificates and requirements in Kubernetes.

Renew certificates with the certificates API

The Kubernetes certificates normally reach their expiration date after one year.

Kubeadm can renew certificates with the kubeadm alpha certs renew commands; you should run these commands on control-plane nodes only.

Typically this is done by loading on-disk CA certificates and keys and using them to issue new certificates. This approach works well if your certificate tree is self-contained. However, if your certificates are externally managed, you might need a different approach.

As an alternative, Kubernetes provides its own API for managing certificates. With kubeadm, you can use this API by running kubeadm alpha certs renew --use-api.

Set up a signer

The Kubernetes Certificate Authority does not work out of the box. You can configure an external signer such as cert-manager, or you can use the build-in signer. The built-in signer is part of kube-controller-manager. To activate the build-in signer, you pass the --cluster-signing-cert-file and --cluster-signing-key-file arguments.

You pass these arguments in any of the following ways:

  apiVersion: kubeadm.k8s.io/v1beta1
  kind: ClusterConfiguration
      cluster-signing-cert-file: /etc/kubernetes/pki/ca.crt
      cluster-signing-key-file: /etc/kubernetes/pki/ca.key

Approve requests

If you set up an external signer such as cert-manager, certificate signing requests (CSRs) are automatically approved. Otherwise, you must manually approve certificates with the kubectl certificate command. The following kubeadm command outputs the name of the certificate to approve, then blocks and waits for approval to occur:

sudo kubeadm alpha certs renew apiserver --use-api &
[1] 2890
[certs] certificate request "kubeadm-cert-kube-apiserver-ld526" created
kubectl certificate approve kubeadm-cert-kube-apiserver-ld526
certificatesigningrequest.certificates.k8s.io/kubeadm-cert-kube-apiserver-ld526 approved
[1]+  Done                    sudo kubeadm alpha certs renew apiserver --use-api

You can view a list of pending certificates with kubectl get csr.

Certificate requests with kubeadm

To better integrate with external CAs, kubeadm can also produce certificate signing requests (CSRs). A CSR represents a request to a CA for a signed certificate for a client. In kubeadm terms, any certificate that would normally be signed by an on-disk CA can be produced as a CSR instead. A CA, however, cannot be produced as a CSR.

You can create an individual CSR with kubeadm init phase certs apiserver --csr-only. The --csr-only flag can be applied only to individual phases. After all certificates are in place, you can run kubeadm init --external-ca.

You can pass in a directory with --csr-dir to output the CSRs to the specified location. If --csr-dir is not specified, the default certificate directory (/etc/kubernetes/pki) is used. Both the CSR and the accompanying private key are given in the output. After a certificate is signed, the certificate and the private key must be copied to the PKI directory (by default /etc/kubernetes/pki).

Renew certificates

Certificates can be renewed with kubeadm alpha certs renew --csr-only. As with kubeadm init, an output directory can be specified with the --csr-dir flag. To use the new certificates, copy the signed certificate and private key into the PKI directory (by default /etc/kubernetes/pki)

Cert usage

A CSR contains a certificate’s name, domains, and IPs, but it does not specify usages. It is the responsibility of the CA to specify the correct cert usages when issuing a certificate.

CA selection

Kubeadm sets up three CAs by default. Make sure to sign the CSRs with a corresponding CA.