Cert Rotation
Checking Certificate Expiration
Updating Expiration Dates
Depending on the type of cluster, there are several methods to update the expiration dates of certificates (choose any one):
Method 1: Automatically rotate certificates with kubeadm when upgrading the cluster
Method 2: Manually generate and replace certificates using kubeadm
Method 3: For non-kubeadm clusters
kubelet Automatic Certificate Rotation
To enable certificate rotation, use the following:
Revoking Certificates
Appendix: Glossary
CA (Certificate Authority): The root certificate issuing agency that issues certificates (i.e., verifies certificates are legitimate).
A CA holds a private key (ca.key) and a certificate (ca.crt, which includes the public key). For a self-signed CA, ca.crt needs to be distributed to all clients.
ca.crt is automatically mounted into Pods at
/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
key (Public key or Private key): The public or private cryptographic key.
csr (Certificate Signing Request): A request sent to a certificate authority to obtain a signed certificate, which usually includes the public key (while keeping the private key secure).
crt/cer (Certificate): The issued certificate, usually in PEM format (also supports DER format).
References
最后更新于