Understand k3s certificate rotation #10024

gherciu · 2024-04-25T10:38:54Z

gherciu
Apr 25, 2024

I've been reading the documentation for the certificate rotation
And few things are unclear to me, and mostly about https://docs.k3s.io/cli/certificate. Client and Server certificate rotation, which expires after 1 year after issuance

So in the docs is said that in order to rotate the certs we have to

systemctl stop k3s
k3s certificate rotate
systemctl start k3s

My main question is should we do that on the Control plane node? or that works in any agent node/workers node?
Also after rotating the certificates, the kubeconfig located at /etc/rancher/k3s/k3s.yaml will it change? (Because if it changes in most cases developers will have to update their CI/CD I assume with new values "Not a problem just want to understand if that is needed")?

Answered by brandond

Apr 25, 2024

You don't need to manually rotate them. As the docs say, the certs are renewed on startup if they are within 90 days of expiring. If you want to rotate them, or renew them before before the automatic renewal would trigger, you can use the rotate command.

If you use the rotate command, you need to rotate on all the nodes - servers first, then agents.

If you've copied the admin kubeconfig to another node, you would want to update your copies periodically, as they contain a client cert that is also only valid for 1 year.

View full answer

brandond · 2024-04-25T18:21:38Z

brandond
Apr 25, 2024
Collaborator

You don't need to manually rotate them. As the docs say, the certs are renewed on startup if they are within 90 days of expiring. If you want to rotate them, or renew them before before the automatic renewal would trigger, you can use the rotate command.

If you use the rotate command, you need to rotate on all the nodes - servers first, then agents.

If you've copied the admin kubeconfig to another node, you would want to update your copies periodically, as they contain a client cert that is also only valid for 1 year.

0 replies

ammirator-administrator · 2024-04-26T12:14:36Z

ammirator-administrator
Apr 26, 2024

@brandond
In case these certificates were not rotated and there were no server restarts in this period
What will happen a error message somewhere will be displayed? How this process will look like, and how do we detect that the certificates are the cause

1 reply

brandond Apr 26, 2024
Collaborator

Internal components will no longer be able to initiate connections, and you'll see certificate errors in the logs.

On recent releases, you'll see warning events when the certificates are about to expire, and there are metrics that you can monitor. Ref: #9742

ammirator-administrator · 2024-04-26T12:21:05Z

ammirator-administrator
Apr 26, 2024

Also I think the docs have a typo
For agents it is not sudo systemctl stop k3s but I believe sudo systemctl stop k3s-agent

1 reply

brandond Apr 26, 2024
Collaborator

you are correct!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Understand k3s certificate rotation #10024

{{title}}

Replies: 3 comments 2 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Understand k3s certificate rotation #10024

gherciu Apr 25, 2024

Replies: 3 comments · 2 replies

brandond Apr 25, 2024 Collaborator

ammirator-administrator Apr 26, 2024

brandond Apr 26, 2024 Collaborator

ammirator-administrator Apr 26, 2024

brandond Apr 26, 2024 Collaborator

gherciu
Apr 25, 2024

Replies: 3 comments 2 replies

brandond
Apr 25, 2024
Collaborator

ammirator-administrator
Apr 26, 2024

brandond Apr 26, 2024
Collaborator

ammirator-administrator
Apr 26, 2024

brandond Apr 26, 2024
Collaborator