post image January 13, 2022 | 2 min Read

Kubernetes SSL certificates

There are many SSL certificates used by different Kubenretes components.

**Check client/server kubelet certificates''

# Check client/server kubelet certificates

# server
openssl x509 -noout -text -in /var/lib/kubelet/pki/kubelet.crt  

#client
openssl x509 -noout -text -in /var/lib/kubelet/pki/kubelet-client-current.pem  
# renew certificate
kubeadm certs renew  apiserver

# Check SSL cert validity
ssh cluster2-master1 kubeadm certs check-expiration --cert-dir  /etc/kubernetes/pki

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 18, 2022 12:04 UTC   364d                                    no      
apiserver                  Mar 18, 2022 12:04 UTC   364d            ca                      no      
apiserver-etcd-client      Mar 18, 2022 12:04 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Mar 18, 2022 12:04 UTC   364d            ca                      no      
controller-manager.conf    Mar 18, 2022 12:04 UTC   364d                                    no      
etcd-healthcheck-client    Mar 18, 2022 12:04 UTC   364d            etcd-ca                 no      
etcd-peer                  Mar 18, 2022 12:04 UTC   364d            etcd-ca                 no      
etcd-server                Mar 18, 2022 12:04 UTC   364d            etcd-ca                 no      
front-proxy-client         Mar 18, 2022 12:04 UTC   364d            front-proxy-ca          no      
scheduler.conf             Mar 18, 2022 12:04 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jan 20, 2031 19:41 UTC   9y              no      
etcd-ca                 Jan 20, 2031 19:41 UTC   9y              no      
front-proxy-ca          Jan 20, 2031 19:41 UTC   9y              no      

---
sh cluster2-master1  openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver.crt | grep -i Valid -A4 -B4
        Version: 3 (0x2)
        Serial Number: 1102934230143616014 (0xf4e68d6b654440e)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = kubernetes
        Validity
            Not Before: Jan 22 19:41:03 2021 GMT
            Not After : Mar 18 12:04:23 2022 GMT
        Subject: CN = kube-apiserver
        Subject Public Key Info:
author image

Jan Toth

I have been in DevOps related jobs for past 6 years dealing mainly with Kubernetes in AWS and on-premise as well. I spent quite a lot …

comments powered by Disqus