This page explains how to manage certificates manually with kubeadm.
These are advanced topics for users who need to integrate their organization’s certificate infrastructure into a kubeadm-built cluster. If kubeadm with the default configuration satisfies your needs, you should let kubeadm manage certificates instead.
You should be familiar with PKI certificates and requirements in Kubernetes.
The Kubernetes certificates normally reach their expiration date after one year.
Kubeadm can renew certificates with the
kubeadm alpha certs renew commands; you should run these commands on control-plane nodes only.
Typically this is done by loading on-disk CA certificates and keys and using them to issue new certificates. This approach works well if your certificate tree is self-contained. However, if your certificates are externally managed, you might need a different approach.
As an alternative, Kubernetes provides its own API for managing certificates.
With kubeadm, you can use this API by running
kubeadm alpha certs renew --use-api.
The Kubernetes Certificate Authority does not work out of the box.
You can configure an external signer such as cert-manager, or you can use the build-in signer.
The built-in signer is part of
To activate the build-in signer, you pass the
You pass these arguments in any of the following ways:
/etc/kubernetes/manifests/kube-controller-manager.yaml to add the arguments to the command.
Remember that your changes could be overwritten when you upgrade.
If you’re creating a new cluster, you can use a kubeadm configuration file:
kubeadm config upload from-files
If you set up an external signer such as cert-manager, certificate signing requests (CSRs) are automatically approved.
Otherwise, you must manually approve certificates with the
kubectl certificate command.
The following kubeadm command outputs the name of the certificate to approve, then blocks and waits for approval to occur:
sudo kubeadm alpha certs renew apiserver --use-api &
[certs] certificate request "kubeadm-cert-kube-apiserver-ld526" created
kubectl certificate approve kubeadm-cert-kube-apiserver-ld526
+ Done sudo kubeadm alpha certs renew apiserver --use-api
You can view a list of pending certificates with
kubectl get csr.
To better integrate with external CAs, kubeadm can also produce certificate signing requests (CSRs). A CSR represents a request to a CA for a signed certificate for a client. In kubeadm terms, any certificate that would normally be signed by an on-disk CA can be produced as a CSR instead. A CA, however, cannot be produced as a CSR.
You can create an individual CSR with
kubeadm init phase certs apiserver --csr-only.
--csr-only flag can be applied only to individual phases. After all certificates are in place, you can run
kubeadm init --external-ca.
You can pass in a directory with
--csr-dir to output the CSRs to the specified location.
--csr-dir is not specified, the default certificate directory (
/etc/kubernetes/pki) is used.
Both the CSR and the accompanying private key are given in the output. After a certificate is signed, the certificate and the private key must be copied to the PKI directory (by default
Certificates can be renewed with
kubeadm alpha certs renew --csr-only.
kubeadm init, an output directory can be specified with the
To use the new certificates, copy the signed certificate and private key into the PKI directory (by default
A CSR contains a certificate’s name, domains, and IPs, but it does not specify usages. It is the responsibility of the CA to specify the correct cert usages when issuing a certificate.
Kubeadm sets up three CAs by default. Make sure to sign the CSRs with a corresponding CA.
Was this page helpful?
Thanks for the feedback. If you have a specific, answerable question about how to use Kubernetes, ask it on Stack Overflow. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.