Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kubeadm: include a couple of workarounds in kubeadm-certs.md #16726

Merged
merged 2 commits into from
Oct 12, 2019
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 19 additions & 3 deletions content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
Original file line number Diff line number Diff line change
Expand Up @@ -59,11 +59,22 @@ Additionally, kubeadm informs the user if the certificate is externally managed;
`kubelet.conf` is not included in the list above because kubeadm configures kubelet for automatic certificate renewal.
{{< /note >}}

{{< warning >}}
On nodes created with `kubeadm init`, prior to kubeadm version 1.17, there is a
[bug](https://github.com/kubernetes/kubeadm/issues/1753) where you manually have to modify the contents of `kubelet.conf`. After `kubeadm init` finishes, you should update `kubelet.conf` to point to the
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should specify that this problem happens only on the node where kubeadm init is executed

Copy link
Member Author

@neolit123 neolit123 Oct 9, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fabriziopandini
i think the warning already clarifies that:

On nodes created with kubeadm init

perhaps we should re-word?

rotated kubelet client certificates, by replacing `client-certificate-data` and `client-key-data` with:

```yaml
client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem
client-key: /var/lib/kubelet/pki/kubelet-client-current.pem
```
{{< /warning >}}

## Automatic certificate renewal

`kubeadm` renews all the certificates during control plane [upgrade](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/).

This feature is designed for addressing the simplest use cases;
This feature is designed for addressing the simplest use cases;
if you don't have specific requirements on certificate renewal and perform Kubernetes version upgrades regularly (less than 1 year in between each upgrade), kubeadm will take care of keeping your cluster up to date and reasonably secure.

{{< note >}}
Expand All @@ -72,6 +83,11 @@ It is a best practice to upgrade your cluster frequently in order to stay secure

If you have more complex requirements for certificate renewal, you can opt out from the default behavior by passing `--certificate-renewal=false` to `kubeadm upgrade apply` or to `kubeadm upgrade node`.

{{< warning >}}
Prior to kubeadm version 1.17 there is a [bug](https://github.com/kubernetes/kubeadm/issues/1818)
where the default value for `--certificate-renewal` is `false` for the `kubeadm upgrade node`
command, so the flag has to be passed explicitly `--certificate-renewal=true`.
neolit123 marked this conversation as resolved.
Show resolved Hide resolved
{{< /warning >}}

## Manual certificate renewal

Expand Down Expand Up @@ -110,7 +126,7 @@ You can configure an external signer such as [cert-manager][cert-manager-issuer]
The built-in signer is part of [`kube-controller-manager`][kcm].
To activate the build-in signer, you pass the `--cluster-signing-cert-file` and `--cluster-signing-key-file` arguments.

The built-in signer is part of [`kube-controller-manager`][kcm].
The built-in signer is part of [`kube-controller-manager`][kcm].

To activate the build-in signer, you must pass the `--cluster-signing-cert-file` and `--cluster-signing-key-file` flags.

Expand Down Expand Up @@ -150,7 +166,7 @@ The output is similar to this:

If you set up an external signer, certificate signing requests (CSRs) are automatically approved.

Otherwise, you must manually approve certificates with the [`kubectl certificate`][certs] command. e.g.
Otherwise, you must manually approve certificates with the [`kubectl certificate`][certs] command. e.g.

```shell
kubectl certificate approve kubeadm-cert-kube-apiserver-ld526
Expand Down