Update certificates for system components

Last update: May 27 2025

Update certificates for system components

Kubernetes system components need up-to-date certificates to  communicate with each other. These are automatically renewed every 30 days. If an error occurs when updating certificates, you can update certificates in the control panel or via the Managed Kubernetes API.

Information about certificate updates is reflected in the cluster logs.

Each time you update the certificates, the kubeconfig file changes, so you must reconnect to the cluster. To avoid reconnecting , configure the upgrade via ServiceAccount Token.

Update certificates when an error occurs⁠

If a ROTATE CERTS = ERROR error occurs during automatic certificate renewal, you can renew the certificates in the control panel or via the API Managed Kubernetes.

1. In the dashboard, on the top menu, click Products and select Managed Kubernetes.
2. Open the cluster page → Settings tab.
3. In the Cluster Access block, click Refresh Certificates.
4. Reconnect to the cluster.

Configure certificate renewal via ServiceAccount Token⁠

ServiceAccount Token is a way of authorization in Kubernetes API. It allows you not to update the kubeconfig file after each certificate update.

The process of obtaining a ServiceAccount Token depends on the Kubernetes version:

• for Kubernetes version 1.23 and below;
• for Kubernetes version 1.24 and higher.

For Kubernetes version 1.23 and below⁠

Linux

1. Create a ServiceAccount:

   kubectl -n kube-system create serviceaccount <serviceaccount_name>

   Specify <serviceaccount_name> — service account name.

2. Create a ClusterRoleBinding (group for the new user) and add a role with administrator rights (cluster-admin):

   kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>

   Specify <clusterrolebinding_name> is the group name for the new user.

3. Add to the TOKENNAME environment variable the name of the secret of the created ServiceAccount where the token is stored:

   export TOKENNAME=$(kubectl -n kube-system get serviceaccount/<serviceaccount_name> -o jsonpath='{.secrets[0].name}')

4. Add the decoded token from the secret to the TOKEN environment variable:

   export TOKEN=$(kubectl -n kube-system get secret $TOKENNAME -o jsonpath='{.data.token}' | base64 --decode)

5. Check if the token is working — make a request to the Kubernetes API with the token in the header:

   curl -k -H "Authorization: Bearer $TOKEN" -X GET "https://<kube_api_ip>:6443/api/v1/nodes" | json_pp

   Specify <kube_api_ip> — the IP address of the cluster in the control panel.

6. Add ServiceAccount to the kubeconfig file:

   kubectl config set-credentials <serviceaccount_name> --token=$TOKEN

7. Switch context:

   kubectl config set-context --current --user=<serviceaccount_name>

8. Check the functionality — make any request in Kubernetes API. For example, request a list of cluster nodes:

   kubectl get nodes

9. The updated kubeconfig file will be located in the home directory $HOME/.kube/config

Windows

1. Run PowerShell as an administrator.

2. Create a ServiceAccount:

   kubectl -n kube-system create serviceaccount <serviceaccount_name>

   Specify <serviceaccount_name> — service account name.

3. Create a ClusterRoleBinding (group for the new user) and add a role with administrator rights (cluster-admin):

   kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>

   Specify <clusterrolebinding_name> is the group name for the new user.

4. Get the name of the secret of the created ServiceAccount that holds the token:

   $env:token_name = kubectl -n kube-system get serviceaccount/<serviceaccount_name> -o jsonpath='{.secrets[0].name}'

5. Add the decoded token from the secret to the token variable:

   $env:token = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((kubectl -n kube-system get secret $token_name -o jsonpath='{.data.token}')))

6. Add ServiceAccount to the kubeconfig file:

   kubectl config set-credentials <serviceaccount_name> --token=$token

7. Switch context:

   kubectl config set-context --current --user=<serviceaccount_name>

8. Check the functionality — make any request in Kubernetes API. For example, request a list of cluster nodes:

   kubectl get nodes

9. The updated kubeconfig file will be located in the home directory $env:USERPROFILE/.kube/config

For Kubernetes version 1.24 and higher⁠

Linux

1. Create a ServiceAccount:

   kubectl -n kube-system create serviceaccount <serviceaccount_name>

   Specify <serviceaccount_name> — service account name.

2. Create a ClusterRoleBinding (group for the new user) and add a role with administrator rights (cluster-admin):

   kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>

   Specify <clusterrolebinding_name> is the group name for the new user.

3. Get the name of the secret of the created ServiceAssociate that holds the token:

   kubectl -n kube-system apply -f - <<EOF
   apiVersion: v1
   kind: Secret
   metadata:
     name: <serviceaccount_name>-token
     annotations:
       kubernetes.io/service-account.name: <serviceaccount_name>
   type: kubernetes.io/service-account-token
   EOF

4. Add the decoded token from the secret to the TOKEN environment variable:

   export TOKEN=$(kubectl -n kube-system get secret <serviceaccount_name>-token -o jsonpath='{.data.token}' | base64 --decode)

5. Check if the token is working — make a request to the Kubernetes API with the token in the header:

   curl -k -H "Authorization: Bearer $TOKEN" -X GET "https://<kube_api_ip>:6443/api/v1/nodes" | json_pp

   Specify <kube_api_ip> — the IP address of the cluster in the control panel.

6. Add ServiceAccount to the kubeconfig file:

   kubectl config set-credentials <serviceaccount_name> --token=$TOKEN

7. Switch context:

   kubectl config set-context --current --user=<serviceaccount_name>

8. Check the functionality — make any request in Kubernetes API. For example, request a list of cluster nodes:

   kubectl get nodes

9. The updated kubeconfig file will be located in the home directory $HOME/.kube/config

Windows

1. Run PowerShell as an administrator.

2. Create a ServiceAccount:

   kubectl -n kube-system create serviceaccount <serviceaccount_name>

   Specify <serviceaccount_name> — service account name.

3. Create a ClusterRoleBinding (group for the new user) and add a role with administrator rights (cluster-admin):

   kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>

   Specify <clusterrolebinding_name> is the group name for the new user.

4. Get the name of the secret of the created ServiceAccount that holds the token:

   @"
   apiVersion: v1
   kind: Secret
   metadata:
     name: <serviceaccount_name>-token
     annotations:
       kubernetes.io/service-account.name: <serviceaccount_name>
   type: kubernetes.io/service-account-token
   "@ | kubectl -n kube-system apply -f -

5. Add the decoded token from the secret to the TOKEN environment variable:

   $env:token = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((kubectl -n kube-system get secret <serviceaccount_name>-token -o jsonpath='{.data.token}')))

6. Add ServiceAccount to the kubeconfig file:

   kubectl config set-credentials <serviceaccount_name> --token=$token

7. Switch context:

   kubectl config set-context --current --user=<serviceaccount_name>

8. Check the functionality — make any request in Kubernetes API. For example, request a list of cluster nodes:

   kubectl get nodes

9. The updated kubeconfig file will be located in the home directory $env:USERPROFILE/.kube/config