# For kubeadm provisioned clusters
kubeadm alpha certs check-expiration
# For all clusters
openssl x509 -noout -dates -in /etc/kubernetes/pki/apiserver.crt
kubeadm upgrade apply --certificate-renewal v1.15.0
# Step 1): Backup old certs and kubeconfigs
mkdir /etc/kubernetes.bak
cp -r /etc/kubernetes/pki/ /etc/kubernetes.bak
cp /etc/kubernetes/*.conf /etc/kubernetes.bak
# Step 2): Renew all certs
kubeadm alpha certs renew all --config kubeadm.yaml
# Step 3): Renew all kubeconfigs
kubeadm alpha kubeconfig user --client-name=admin
kubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin > /etc/kubernetes/admin.conf
kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf
kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > /etc/kubernetes/kubelet.conf
kubeadm alpha kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf
# Another way to renew kubeconfigs
# kubeadm init phase kubeconfig all --config kubeadm.yaml
# Step 4): Copy certs/kubeconfigs and restart Kubernetes services
# Step 1): Config kube-controller-manager
kube-controller-manager --experimental-cluster-signing-duration=87600h \
--feature-gates=RotateKubeletClientCertificate=true \
...
# Step 2): Config RBAC
# Refer https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#approval
# Step 3): Config Kubelet
kubelet --feature-gates=RotateKubeletClientCertificate=true \
--cert-dir=/var/lib/kubelet/pki \
--rotate-certificates \
--rotate-server-certificates \
...