Update certificates for system components
Up-to-date certificates are required to interoperate Kubernetes system components. They are updated automatically every 30 days. If an error occurs when updating certificates, you can update certificates in the control panel or via Managed Kubernetes API.
Information about certificate updates is reflected in cluster logs.
The kubeconfig file changes each time the certificates are updated, so the cluster needs to be reconnected. To avoid reconnecting, configure update via ServiceAccount Token.
Update certificates when error occurs
If a ROTATE CERTS = ERROR error occurs when automatically updating certificates, you can update certificates in the control panel or via API Managed Kubernetes.
- In Control Panel, go to Cloud Platform → Kubernetes.
- Open the cluster page → Settings tab.
- In the Cluster Access block, click Update Certificates.
- Re-connect to cluster.
Configure certificate renewal via ServiceAccount Token
ServiceAccount Token is a method of authorization in the Kubernetes API. It allows you not to update the kubeconfig file after each certificate update.
The process of obtaining a ServiceAccount Token depends on the Kubernetes version:
For Kubernetes version 1.23 and below
- Linux
- Windows
-
Create a ServiceAccount:
kubectl -n kube-system create serviceaccount <serviceaccount_name>Specify
<serviceaccount_name>— the name of the service account. -
Create a ClusterRoleBinding (group for the new user) and add a role with administrator rights (cluster-admin):
kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>Specify
<clusterrolebinding_name>is the group name for the new user. -
Add to the
TOKENNAMEenvironment variable the name of the secret of the created ServiceAccount in which the token is stored:export TOKENNAME=$(kubectl -n kube-system get serviceaccount/<serviceaccount_name> -o jsonpath='{.secrets[0].name}') -
Add the decoded token from the secret to the
TOKENenvironment variable:export TOKEN=$(kubectl -n kube-system get secret $TOKENNAME -o jsonpath='{.data.token}' | base64 --decode) -
Check if the token is working — make a request to the Kubernetes API with the token in the header:
curl -k -H 'Authorization: Bearer $TOKEN' -X GET 'https://<kube_api_ip>:6443/api/v1/nodes' | json_ppSpecify
<kube_api_ip>— the IP address of the cluster in the control panel. -
Add ServiceAccount to the kubeconfig file:
kubectl config set-credentials <serviceaccount_name> --token=$TOKEN -
Switch context:
kubectl config set-context --current --user=<serviceaccount_name> -
Check for functionality — make any request to the Kubernetes API. For example, query for a list of cluster nodes:
kubectl get nodes -
The updated kubeconfig file will be located in the
$HOME/.kube/confighome directory.
-
Create a ServiceAccount:
kubectl -n kube-system create serviceaccount <serviceaccount_name>Specify
<serviceaccount_name>— the name of the service account. -
Create a ClusterRoleBinding (group for the new user) and add a role with administrator rights (cluster-admin):
kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>Specify
<clusterrolebinding_name>is the group name for the new user. -
Get the name of the secret of the created ServiceAccount that holds the token:
$token_name = kubectl -n kube-system get serviceaccount/<serviceaccount_name> -o jsonpath='{.secrets[0].name}' -
Add the decoded token from the secret to the
tokenvariable:$token = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((kubectl -n kube-system get secret $token_name -o jsonpath='{.data.token} ')))) -
Check if the token is working — make a request to the Kubernetes API with the token in the header:
curl -k -H 'Authorization: Bearer $token' -X GET 'https://<kube_api_ip>:6443/api/v1/nodes'Specify
<kube_api_ip>— the IP address of the cluster in the control panel. -
Add ServiceAccount to the kubeconfig file:
kubectl config set-credentials <serviceaccount_name> --token=$token -
Switch context:
kubectl config set-context --current --user=<serviceaccount_name> -
Check for functionality — make any request to the Kubernetes API. For example, query for a list of cluster nodes:
kubectl get nodes -
The updated kubeconfig file will be located in the
$env:USERPROFILE/.kube/confighome directory.
For Kubernetes version 1.24 and higher
- Linux
- Windows
-
Create a ServiceAccount:
kubectl -n kube-system create serviceaccount <serviceaccount_name>Specify
<serviceaccount_name>— the name of the service account. -
Create a ClusterRoleBinding (group for the new user) and add a role with administrator rights (cluster-admin):
kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>Specify
<clusterrolebinding_name>is the group name for the new user. -
Get the name of the secret of the created ServiceAssociate that holds the token:
kubectl -n kube-system apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: <serviceaccount_name>-token
annotations:
kubernetes.io/service-account.name: <serviceaccount_name>
type: kubernetes.io/service-account-token
EOF -
Add the decoded token from the secret to the
TOKENenvironment variable:export TOKEN=$(kubectl -n kube-system get secret <serviceaccount_name>-token -o jsonpath='{.data.token}' | base64 --decode) -
Check if the token is working — make a request to the Kubernetes API with the token in the header:
curl -k -H 'Authorization: Bearer $TOKEN' -X GET 'https://<kube_api_ip>:6443/api/v1/nodes' | json_ppSpecify
<kube_api_ip>— the IP address of the cluster in the control panel. -
Add ServiceAccount to the kubeconfig file:
kubectl config set-credentials <serviceaccount_name> --token=$TOKEN -
Switch context:
kubectl config set-context --current --user=<serviceaccount_name> -
Check for functionality — make any request to the Kubernetes API. For example, query for a list of cluster nodes:
kubectl get nodes -
The updated kubeconfig file will be located in the
$HOME/.kube/confighome directory.
-
Create a ServiceAccount:
kubectl -n kube-system create serviceaccount <serviceaccount_name>Specify
<serviceaccount_name>— the name of the service account. -
Create a ClusterRoleBinding (group for the new user) and add a role with administrator rights (cluster-admin):
kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>Specify
<clusterrolebinding_name>is the group name for the new user. -
Get the name of the secret of the created ServiceAccount that holds the token:
@"
apiVersion: v1
kind: Secret
metadata:
name: <serviceaccount_name>-token
annotations:
kubernetes.io/service-account.name: <serviceaccount_name>
type: kubernetes.io/service-account-token
"@" | kubectl -n kube-system apply -f - - -
Add the decoded token from the secret to the
TOKENenvironment variable:$token = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((kubectl -n kube-system get secret <serviceaccount_name>-token -o jsonpath='{.data.token} ')))) -
Check if the token is working — make a request to the Kubernetes API with the token in the header:
curl -k -H 'Authorization: Bearer $token' -X GET 'https://<kube_api_ip>:6443/api/v1/nodes'Specify
<kube_api_ip>— the IP address of the cluster in the control panel. -
Add ServiceAccount to the kubeconfig file:
kubectl config set-credentials <serviceaccount_name> --token=$token -
Switch context:
kubectl config set-context --current --user=<serviceaccount_name> -
Check for functionality — make any request to the Kubernetes API. For example, query for a list of cluster nodes:
kubectl get nodes -
The updated kubeconfig file will be located in the
$env:USERPROFILE/.kube/confighome directory.