Skip to content

K8S Certificate Management

1. Internal cert rotation

  • 1.1 Certificate validity check

Check master node certificate validity

for crt in /var/lib/rancher/rke2/server/tls/*.crt; do
   printf '%s: %s\n' \
      "$(date --date="$(openssl x509 -enddate -noout -in "$crt"|cut -d= -f 2)" --iso-8601)" \
      "$crt"
done | sort
for crt in /var/lib/rancher/rke2/server/tls/kube-controller-manager/*.crt; do
   printf '%s: %s\n' \
      "$(date --date="$(openssl x509 -enddate -noout -in "$crt"|cut -d= -f 2)" --iso-8601)" \
      "$crt"
done | sort
for crt in /var/lib/rancher/rke2/server/tls/kube-scheduler/*.crt; do
   printf '%s: %s\n' \
      "$(date --date="$(openssl x509 -enddate -noout -in "$crt"|cut -d= -f 2)" --iso-8601)" \
      "$crt"
done | sort

image-20250620165052736

Check worker node certificate validity

for crt in /var/lib/rancher/rke2/agent/*.crt; do
   printf '%s: %s\n' \
      "$(date --date="$(openssl x509 -enddate -noout -in "$crt"|cut -d= -f 2)" --iso-8601)" \
      "$crt"
done | sort

image-20250620165153772

  • 1.2 Rotation certificate

Rotation master node certificate (one by one node)

Backup TLS folder (kube-controller-manager and kube-scheduler)

cd /var/lib/rancher/rke2/server/tls
mv kube-controller-manager kube-controller-manager-20250620
mv kube-scheduler kube-scheduler-20250620

Stop service

systemctl stop rancher-system-agent.service
systemctl stop rke2-server.service

Rotation certificate

rke2 certificate rotate

Start service

systemctl start rke2-server.service
systemctl start rancher-system-agent.service

Rotation worker node certificate (one by one node)

When the certificate validity period is less than 90 days, simply restart the service and it will automatically rotate

systemctl stop rke2-agent.service
systemctl start rke2-agent.service
  • 1.3 Re-check certificate validity

Check master node internal certificate validity

for crt in /var/lib/rancher/rke2/server/tls/*.crt; do
   printf '%s: %s\n' \
      "$(date --date="$(openssl x509 -enddate -noout -in "$crt"|cut -d= -f 2)" --iso-8601)" \
      "$crt"
done | sort
for crt in /var/lib/rancher/rke2/server/tls/kube-controller-manager/*.crt; do
   printf '%s: %s\n' \
      "$(date --date="$(openssl x509 -enddate -noout -in "$crt"|cut -d= -f 2)" --iso-8601)" \
      "$crt"
done | sort
for crt in /var/lib/rancher/rke2/server/tls/kube-scheduler/*.crt; do
   printf '%s: %s\n' \
      "$(date --date="$(openssl x509 -enddate -noout -in "$crt"|cut -d= -f 2)" --iso-8601)" \
      "$crt"
done | sort

Check worker node internal certificate validity

for crt in /var/lib/rancher/rke2/agent/*.crt; do
   printf '%s: %s\n' \
      "$(date --date="$(openssl x509 -enddate -noout -in "$crt"|cut -d= -f 2)" --iso-8601)" \
      "$crt"
done | sort

2. SSL Cert update