RKE cluster certificate management

Posted by dfego on Thu, 10 Mar 2022 09:25:06 +0100

v0.2.0 available

Note: This is not "TLS certificate management in Kubernetes". For more details, please refer to Kubernetes documentation and RKE cluster Yaml example.

Certificate is an important part of Kubernetes cluster. All Kubernetes components need certificates. You can use rke cert command of RKE to manage certificates.

Rotation certificate

By default, Kubenetes cluster uses the certificate automatically generated by RKE. When the certificate is about to expire, or when the certificate is leaked, the user should rotate the certificate in time.

After the certificate rotation is completed, the Kubernetes component will restart automatically. After restarting, the new certificate will take effect. You can rotate certificates for these services:

  • etcd
  • kubelet (node certificate)
  • Kubelet (after enabling the kubelet option, the service certificate can be rotated.)
  • kube-apiserver
  • kube-proxy
  • kube-scheduler
  • kube-controller-manager

RKE has the ability to rotate certificates. You can use rke cert command to rotate service certificates:

  • rke cert rotate: rotate all service certificates.
  • rke cert rotate --service: rotate a single service certificate.
  • RKE cert rotate -- rotate CA: rotate CA certificates and all service certificates.

As long as you are performing certificate rotation, you need to use cluster YML file. If you modify cluster YML is the default storage path. When performing certificate rotation, you can use rke cert rotate --config to point to cluster Path to YML.

Rotation service certificate

Rotate all service certificates

Run the rke cert rotate command to replace the certificates being used by all services with new certificates issued by the same certification authority. After entering the command in the command line tool, the returned information is as follows. After the certificate rotation is completed, the Kubernetes component will restart automatically, and then the new certificate will take effect.

Rotate individual service certificates

Run the rke cert rotate --service command to replace the certificate being used by a single service with a new certificate issued by the same certificate issuing authority. After entering the command in the command line tool, the returned information is as follows. After the certificate rotation is completed, the Kubernetes component will restart automatically, and then the new certificate will take effect.

Optional values for include:

  • etcd
  • kubelet
  • kube-apiserver
  • kube-proxy
  • kube-scheduler
  • kube-controller-manager

The following code example demonstrates the certificate used to replace the kubelet component:

rke cert rotate --service kubelet
INFO[0000] Initiating Kubernetes cluster
INFO[0000] Rotating Kubernetes cluster certificates
INFO[0000] [certificates] Generating Node certificate
INFO[0000] Successfully Deployed state file at [./cluster.rkestate]
INFO[0000] Rebuilding Kubernetes cluster with rotated certificates
.....
INFO[0033] [worker] Successfully restarted Worker Plane..

Rotate CA certificate

If you need to rotate CA certificates, you need to rotate certificates for all services. Using the -- rotate CA option, you can rotate CA certificates and certificates of all services. After the certificate rotation is completed, the Kubernetes component will restart automatically, and then the new certificate will take effect.

Rotating CA certificates will cause other system pods to restart. After these pods are restarted, new CA certificates will also be used:

  • Network components Pods (canal, calico, flannel and weave)
  • Ingress Controller pods
  • KubeDNS pods
rke cert rotate --rotate-ca
INFO[0000] Initiating Kubernetes cluster
INFO[0000] Rotating Kubernetes cluster certificates
INFO[0000] [certificates] Generating CA kubernetes certificates
INFO[0000] [certificates] Generating Kubernetes API server aggregation layer requestheader client CA certificates
INFO[0000] [certificates] Generating Kubernetes API server certificates
INFO[0000] [certificates] Generating Kube Controller certificates
INFO[0000] [certificates] Generating Kube Scheduler certificates
INFO[0000] [certificates] Generating Kube Proxy certificates
INFO[0000] [certificates] Generating Node certificate
INFO[0001] [certificates] Generating admin certificates and kubeconfig
INFO[0001] [certificates] Generating Kubernetes API server proxy client certificates
INFO[0001] [certificates] Generating etcd-xxxxx certificate and key
INFO[0001] [certificates] Generating etcd-yyyyy certificate and key
INFO[0001] [certificates] Generating etcd-zzzzz certificate and key
INFO[0001] Successfully Deployed state file at [./cluster.rkestate]
INFO[0001] Rebuilding Kubernetes cluster with rotated certificates