Update certificates for system components
To interact Kubernetes system components you need up-to-date certificates. They are updated automatically every 30 days. If an error occurs while updating certificates, you can update certificates in the control panel or through API Managed Kubernetes.
Information on updating certificates is reflected in cluster logs.
Each time the certificates are updated, the kubeconfig file is changed, so the cluster needs to be reattached connect. So you don't have to reconnect, configure the update via ServiceAccount Token.
Update certificates when an error occurs
If an error occurs during automatic certificate renewal ROTATE CERTS = ERROR
You can update the certificates in the control panel or via the API Managed Kubernetes.
- In control panels go to Cloud platform → Kubernetes.
- Open the cluster page → tab Settings.
- In the block Access to the cluster click Update certificates.
- Reinvented cluster.
Configure certificate renewal via ServiceAccount Token
ServiceAccount Token is a way of authorization in Kubernetes API. It allows you not to update the kubeconfig file after each certificate update.
The process of obtaining a ServiceAccount Token depends on the Kubernetes version:
For Kubernetes version 1.23 and below
Linux
Windows
-
Create a ServiceAccount:
kubectl -n kube-system create serviceaccount <serviceaccount_name>
Specify
<serviceaccount_name>
— service account name. -
Create a ClusterRoleBinding (group for the new user) and add a role with administrator rights (cluster-admin):
kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>
Specify
<clusterrolebinding_name>
— group name for the new user. -
Add to the environment variable
TOKENNAME
The name of the secret of the created ServiceAccount in which the token is stored:export TOKENNAME=$(kubectl -n kube-system get serviceaccount/<serviceaccount_name> -o jsonpath='{.secrets[0].name}')
-
Add to the environment variable
TOKEN
decoded token from the secret:export TOKEN=$(kubectl -n kube-system get secret $TOKENNAME -o jsonpath='{.data.token}' | base64 --decode)
-
Check if the token is working — make a request to the Kubernetes API with the token in the header:
curl -k -H "Authorization: Bearer $TOKEN" -X GET "https://<kube_api_ip>:6443/api/v1/nodes" | json_pp
Specify
<kube_api_ip>
— The IP address of the cluster in the control panel. -
Add ServiceAccount to the kubeconfig file:
kubectl config set-credentials <serviceaccount_name> --token=$TOKEN
-
Switch context:
kubectl config set-context --current --user=<serviceaccount_name>
-
Check the functionality — make any request in Kubernetes API. For example, request a list of cluster nodes:
kubectl get nodes
-
The updated kubeconfig file will be located in the home directory
$HOME/.kube/config
-
Run PowerShell as an administrator.
-
Create a ServiceAccount:
kubectl -n kube-system create serviceaccount <serviceaccount_name>
Specify
<serviceaccount_name>
— service account name. -
Create a ClusterRoleBinding (group for the new user) and add a role with administrator rights (cluster-admin):
kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>
Specify
<clusterrolebinding_name>
— group name for the new user. -
Get the name of the secret of the created ServiceAccount that holds the token:
$env:token_name = kubectl -n kube-system get serviceaccount/<serviceaccount_name> -o jsonpath='{.secrets[0].name}'
-
Add to the variable
token
decoded token from the secret:$env:token = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((kubectl -n kube-system get secret $token_name -o jsonpath='{.data.token}')))
-
Add ServiceAccount to the kubeconfig file:
kubectl config set-credentials <serviceaccount_name> --token=$token
-
Switch context:
kubectl config set-context --current --user=<serviceaccount_name>
-
Check the functionality — make any request in Kubernetes API. For example, request a list of cluster nodes:
kubectl get nodes
-
The updated kubeconfig file will be located in the home directory
$env:USERPROFILE/.kube/config
For Kubernetes version 1.24 and higher
Linux
Windows
-
Create a ServiceAccount:
kubectl -n kube-system create serviceaccount <serviceaccount_name>
Specify
<serviceaccount_name>
— service account name. -
Create a ClusterRoleBinding (group for the new user) and add a role with administrator rights (cluster-admin):
kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>
Specify
<clusterrolebinding_name>
— group name for the new user. -
Get the name of the secret of the created ServiceAssociate that holds the token:
kubectl -n kube-system apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: <serviceaccount_name>-token
annotations:
kubernetes.io/service-account.name: <serviceaccount_name>
type: kubernetes.io/service-account-token
EOF -
Add to the environment variable
TOKEN
decoded token from the secret:export TOKEN=$(kubectl -n kube-system get secret <serviceaccount_name>-token -o jsonpath='{.data.token}' | base64 --decode)
-
Check if the token is working — make a request to the Kubernetes API with the token in the header:
curl -k -H "Authorization: Bearer $TOKEN" -X GET "https://<kube_api_ip>:6443/api/v1/nodes" | json_pp
Specify
<kube_api_ip>
— The IP address of the cluster in the control panel. -
Add ServiceAccount to the kubeconfig file:
kubectl config set-credentials <serviceaccount_name> --token=$TOKEN
-
Switch context:
kubectl config set-context --current --user=<serviceaccount_name>
-
Check the functionality — make any request in Kubernetes API. For example, request a list of cluster nodes:
kubectl get nodes
-
The updated kubeconfig file will be located in the home directory
$HOME/.kube/config
-
Run PowerShell as an administrator.
-
Create a ServiceAccount:
kubectl -n kube-system create serviceaccount <serviceaccount_name>
Specify
<serviceaccount_name>
— service account name. -
Create a ClusterRoleBinding (group for the new user) and add a role with administrator rights (cluster-admin):
kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>
Specify
<clusterrolebinding_name>
— group name for the new user. -
Get the name of the secret of the created ServiceAccount that holds the token:
@"
apiVersion: v1
kind: Secret
metadata:
name: <serviceaccount_name>-token
annotations:
kubernetes.io/service-account.name: <serviceaccount_name>
type: kubernetes.io/service-account-token
"@ | kubectl -n kube-system apply -f - -
Add to the environment variable
TOKEN
decoded token from the secret:$env:token = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((kubectl -n kube-system get secret <serviceaccount_name>-token -o jsonpath='{.data.token}')))
-
Add ServiceAccount to the kubeconfig file:
kubectl config set-credentials <serviceaccount_name> --token=$token
-
Switch context:
kubectl config set-context --current --user=<serviceaccount_name>
-
Check the functionality — make any request in Kubernetes API. For example, request a list of cluster nodes:
kubectl get nodes
-
The updated kubeconfig file will be located in the home directory
$env:USERPROFILE/.kube/config