v0.2.0 available
Note: This is not "TLS certificate management in Kubernetes". For more details, please refer to Kubernetes documentation and RKE cluster Yaml example.
Certificate is an important part of Kubernetes cluster. All Kubernetes components need certificates. You can use rke cert command of RKE to manage certificates.
Rotation certificate
By default, Kubenetes cluster uses the certificate automatically generated by RKE. When the certificate is about to expire, or when the certificate is leaked, the user should rotate the certificate in time.
After the certificate rotation is completed, the Kubernetes component will restart automatically. After restarting, the new certificate will take effect. You can rotate certificates for these services:
- etcd
- kubelet (node certificate)
- Kubelet (after enabling the kubelet option, the service certificate can be rotated.)
- kube-apiserver
- kube-proxy
- kube-scheduler
- kube-controller-manager
RKE has the ability to rotate certificates. You can use rke cert command to rotate service certificates:
- rke cert rotate: rotate all service certificates.
- rke cert rotate --service: rotate a single service certificate.
- RKE cert rotate -- rotate CA: rotate CA certificates and all service certificates.
As long as you are performing certificate rotation, you need to use cluster YML file. If you modify cluster YML is the default storage path. When performing certificate rotation, you can use rke cert rotate --config to point to cluster Path to YML.
Rotation service certificate
Rotate all service certificates
Run the rke cert rotate command to replace the certificates being used by all services with new certificates issued by the same certification authority. After entering the command in the command line tool, the returned information is as follows. After the certificate rotation is completed, the Kubernetes component will restart automatically, and then the new certificate will take effect.
Rotate individual service certificates
Run the rke cert rotate --service command to replace the certificate being used by a single service with a new certificate issued by the same certificate issuing authority. After entering the command in the command line tool, the returned information is as follows. After the certificate rotation is completed, the Kubernetes component will restart automatically, and then the new certificate will take effect.
Optional values for include:
- etcd
- kubelet
- kube-apiserver
- kube-proxy
- kube-scheduler
- kube-controller-manager
The following code example demonstrates the certificate used to replace the kubelet component:
rke cert rotate --service kubelet INFO[0000] Initiating Kubernetes cluster INFO[0000] Rotating Kubernetes cluster certificates INFO[0000] [certificates] Generating Node certificate INFO[0000] Successfully Deployed state file at [./cluster.rkestate] INFO[0000] Rebuilding Kubernetes cluster with rotated certificates ..... INFO[0033] [worker] Successfully restarted Worker Plane..
Rotate CA certificate
If you need to rotate CA certificates, you need to rotate certificates for all services. Using the -- rotate CA option, you can rotate CA certificates and certificates of all services. After the certificate rotation is completed, the Kubernetes component will restart automatically, and then the new certificate will take effect.
Rotating CA certificates will cause other system pods to restart. After these pods are restarted, new CA certificates will also be used:
- Network components Pods (canal, calico, flannel and weave)
- Ingress Controller pods
- KubeDNS pods
rke cert rotate --rotate-ca INFO[0000] Initiating Kubernetes cluster INFO[0000] Rotating Kubernetes cluster certificates INFO[0000] [certificates] Generating CA kubernetes certificates INFO[0000] [certificates] Generating Kubernetes API server aggregation layer requestheader client CA certificates INFO[0000] [certificates] Generating Kubernetes API server certificates INFO[0000] [certificates] Generating Kube Controller certificates INFO[0000] [certificates] Generating Kube Scheduler certificates INFO[0000] [certificates] Generating Kube Proxy certificates INFO[0000] [certificates] Generating Node certificate INFO[0001] [certificates] Generating admin certificates and kubeconfig INFO[0001] [certificates] Generating Kubernetes API server proxy client certificates INFO[0001] [certificates] Generating etcd-xxxxx certificate and key INFO[0001] [certificates] Generating etcd-yyyyy certificate and key INFO[0001] [certificates] Generating etcd-zzzzz certificate and key INFO[0001] Successfully Deployed state file at [./cluster.rkestate] INFO[0001] Rebuilding Kubernetes cluster with rotated certificates