Update certificates for system components

Last update: October 08 2024

Update certificates for system components

To interact Kubernetes system components you need up-to-date certificates. They are updated automatically every 30 days. If an error occurs while updating certificates, you can update certificates in the control panel or through API Managed Kubernetes.

Information on updating certificates is reflected in cluster logs.

Each time the certificates are updated, the kubeconfig file is changed, so the cluster needs to be reattached connect. So you don't have to reconnect, configure the update via ServiceAccount Token.

Update certificates when an error occurs⁠

If an error occurs during automatic certificate renewal ROTATE CERTS = ERRORYou can update the certificates in the control panel or via the API Managed Kubernetes.

1. В control panels go to Cloud platform → Kubernetes.
2. Open the cluster page → tab Settings.
3. In the block Access to the cluster click Update certificates.
4. Reinvented cluster.

Configure certificate renewal via ServiceAccount Token⁠

ServiceAccount Token is a way of authorization in Kubernetes API. It allows you not to update the kubeconfig file after each certificate update.

The process of obtaining a ServiceAccount Token depends on the Kubernetes version:

• for Kubernetes version 1.23 and below;
• for Kubernetes version 1.24 and higher.

For Kubernetes version 1.23 and below⁠

Linux

1. Create a ServiceAccount:

   kubectl -n kube-system create serviceaccount <serviceaccount_name>

   Specify <serviceaccount_name> — service account name.

2. Create a ClusterRoleBinding (group for the new user) and add a role with administrator rights (cluster-admin):

   kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>

   Specify <clusterrolebinding_name> — group name for the new user.

3. Add to the environment variable TOKENNAME The name of the secret of the created ServiceAccount in which the token is stored:

   export TOKENNAME=$(kubectl -n kube-system get serviceaccount/<serviceaccount_name> -o jsonpath='{.secrets[0].name}')

4. Add to the environment variable TOKEN decoded token from the secret:

   export TOKEN=$(kubectl -n kube-system get secret $TOKENNAME -o jsonpath='{.data.token}' | base64 --decode)

5. Check if the token is working — make a request to the Kubernetes API with the token in the header:

   curl -k -H "Authorization: Bearer $TOKEN" -X GET "https://<kube_api_ip>:6443/api/v1/nodes" | json_pp

   Specify <kube_api_ip> — The IP address of the cluster in the control panel.

6. Add ServiceAccount to the kubeconfig file:

   kubectl config set-credentials <serviceaccount_name> --token=$TOKEN

7. Switch context:

   kubectl config set-context --current --user=<serviceaccount_name>

8. Check the functionality — make any request in Kubernetes API. For example, request a list of cluster nodes:

   kubectl get nodes

9. The updated kubeconfig file will be located in the home directory $HOME/.kube/config

Windows

1. Run PowerShell as an administrator.

2. Create a ServiceAccount:

   kubectl -n kube-system create serviceaccount <serviceaccount_name>

   Specify <serviceaccount_name> — service account name.

3. Create a ClusterRoleBinding (group for the new user) and add a role with administrator rights (cluster-admin):

   kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>

   Specify <clusterrolebinding_name> — group name for the new user.

4. Get the name of the secret of the created ServiceAccount that holds the token:

   $env:token_name = kubectl -n kube-system get serviceaccount/<serviceaccount_name> -o jsonpath='{.secrets[0].name}'

5. Add to the variable token decoded token from the secret:

   $env:token = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((kubectl -n kube-system get secret $token_name -o jsonpath='{.data.token}')))

6. Add ServiceAccount to the kubeconfig file:

   kubectl config set-credentials <serviceaccount_name> --token=$token

7. Switch context:

   kubectl config set-context --current --user=<serviceaccount_name>

8. Check the functionality — make any request in Kubernetes API. For example, request a list of cluster nodes:

   kubectl get nodes

9. The updated kubeconfig file will be located in the home directory $env:USERPROFILE/.kube/config

For Kubernetes version 1.24 and higher⁠

Linux

1. Create a ServiceAccount:

   kubectl -n kube-system create serviceaccount <serviceaccount_name>

   Specify <serviceaccount_name> — service account name.

2. Create a ClusterRoleBinding (group for the new user) and add a role with administrator rights (cluster-admin):

   kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>

   Specify <clusterrolebinding_name> — group name for the new user.

3. Get the name of the secret of the created ServiceAssociate that holds the token:

   kubectl -n kube-system apply -f - <<EOF
   apiVersion: v1
   kind: Secret
   metadata:
     name: <serviceaccount_name>-token
     annotations:
       kubernetes.io/service-account.name: <serviceaccount_name>
   type: kubernetes.io/service-account-token
   EOF

4. Add to the environment variable TOKEN decoded token from the secret:

   export TOKEN=$(kubectl -n kube-system get secret <serviceaccount_name>-token -o jsonpath='{.data.token}' | base64 --decode)

5. Check if the token is working — make a request to the Kubernetes API with the token in the header:

   curl -k -H "Authorization: Bearer $TOKEN" -X GET "https://<kube_api_ip>:6443/api/v1/nodes" | json_pp

   Specify <kube_api_ip> — The IP address of the cluster in the control panel.

6. Add ServiceAccount to the kubeconfig file:

   kubectl config set-credentials <serviceaccount_name> --token=$TOKEN

7. Switch context:

   kubectl config set-context --current --user=<serviceaccount_name>

8. Check the functionality — make any request in Kubernetes API. For example, request a list of cluster nodes:

   kubectl get nodes

9. The updated kubeconfig file will be located in the home directory $HOME/.kube/config

Windows

1. Run PowerShell as an administrator.

2. Create a ServiceAccount:

   kubectl -n kube-system create serviceaccount <serviceaccount_name>

   Specify <serviceaccount_name> — service account name.

3. Create a ClusterRoleBinding (group for the new user) and add a role with administrator rights (cluster-admin):

   kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>

   Specify <clusterrolebinding_name> — group name for the new user.

4. Get the name of the secret of the created ServiceAccount that holds the token:

   @"
   apiVersion: v1
   kind: Secret
   metadata:
     name: <serviceaccount_name>-token
     annotations:
       kubernetes.io/service-account.name: <serviceaccount_name>
   type: kubernetes.io/service-account-token
   "@ | kubectl -n kube-system apply -f -

5. Add to the environment variable TOKEN decoded token from the secret:

   $env:token = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((kubectl -n kube-system get secret <serviceaccount_name>-token -o jsonpath='{.data.token}')))

6. Add ServiceAccount to the kubeconfig file:

   kubectl config set-credentials <serviceaccount_name> --token=$token

7. Switch context:

   kubectl config set-context --current --user=<serviceaccount_name>

8. Check the functionality — make any request in Kubernetes API. For example, request a list of cluster nodes:

   kubectl get nodes

9. The updated kubeconfig file will be located in the home directory $env:USERPROFILE/.kube/config