Skip to main content
Update certificates for system components
Last update:

Update certificates for system components

Up-to-date certificates are required to interoperate Kubernetes system components. They are updated automatically every 30 days. If an error occurs when updating certificates, you can update certificates in the control panel or via API Managed Kubernetes.

Information about certificate updates is reflected in cluster logs.

The kubeconfig file changes each time the certificates are updated, so the cluster needs to be reconnected. To avoid reconnecting, configure update via ServiceAccount Token.

Update certificates when error occurs

If a ROTATE CERTS = ERROR error occurs when automatically updating certificates, you can update certificates in the control panel or via API Managed Kubernetes.

  1. In Control Panel, go to Cloud PlatformKubernetes.
  2. Open the cluster page → Settings tab.
  3. In the Cluster Access block, click Update Certificates.
  4. Re-connect to cluster.

Configure certificate renewal via ServiceAccount Token

ServiceAccount Token is a method of authorization in the Kubernetes API. It allows you not to update the kubeconfig file after each certificate update.

The process of obtaining a ServiceAccount Token depends on the Kubernetes version:

For Kubernetes version 1.23 and below

  1. Create a ServiceAccount:

    kubectl -n kube-system create serviceaccount <serviceaccount_name>

    Specify <serviceaccount_name> — the name of the service account.

  2. Create a ClusterRoleBinding (group for the new user) and add a role with administrator rights (cluster-admin):

    kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>

    Specify <clusterrolebinding_name> is the group name for the new user.

  3. Add to the TOKENNAME environment variable the name of the secret of the created ServiceAccount in which the token is stored:

    export TOKENNAME=$(kubectl -n kube-system get serviceaccount/<serviceaccount_name> -o jsonpath='{.secrets[0].name}')
  4. Add the decoded token from the secret to the TOKEN environment variable:

    export TOKEN=$(kubectl -n kube-system get secret $TOKENNAME -o jsonpath='{.data.token}' | base64 --decode)
  5. Check if the token is working — make a request to the Kubernetes API with the token in the header:

    curl -k -H 'Authorization: Bearer $TOKEN' -X GET 'https://<kube_api_ip>:6443/api/v1/nodes' | json_pp

    Specify <kube_api_ip> — the IP address of the cluster in the control panel.

  6. Add ServiceAccount to the kubeconfig file:

    kubectl config set-credentials <serviceaccount_name> --token=$TOKEN
  7. Switch context:

    kubectl config set-context --current --user=<serviceaccount_name>
  8. Check for functionality — make any request to the Kubernetes API. For example, query for a list of cluster nodes:

    kubectl get nodes
  9. The updated kubeconfig file will be located in the $HOME/.kube/config home directory.

For Kubernetes version 1.24 and higher

  1. Create a ServiceAccount:

    kubectl -n kube-system create serviceaccount <serviceaccount_name>

    Specify <serviceaccount_name> — the name of the service account.

  2. Create a ClusterRoleBinding (group for the new user) and add a role with administrator rights (cluster-admin):

    kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>

    Specify <clusterrolebinding_name> is the group name for the new user.

  3. Get the name of the secret of the created ServiceAssociate that holds the token:

    kubectl -n kube-system apply -f - <<EOF
    apiVersion: v1
    kind: Secret
    metadata:
    name: <serviceaccount_name>-token
    annotations:
    kubernetes.io/service-account.name: <serviceaccount_name>
    type: kubernetes.io/service-account-token
    EOF
  4. Add the decoded token from the secret to the TOKEN environment variable:

    export TOKEN=$(kubectl -n kube-system get secret <serviceaccount_name>-token -o jsonpath='{.data.token}' | base64 --decode)
  5. Check if the token is working — make a request to the Kubernetes API with the token in the header:

    curl -k -H 'Authorization: Bearer $TOKEN' -X GET 'https://<kube_api_ip>:6443/api/v1/nodes' | json_pp

    Specify <kube_api_ip> — the IP address of the cluster in the control panel.

  6. Add ServiceAccount to the kubeconfig file:

    kubectl config set-credentials <serviceaccount_name> --token=$TOKEN
  7. Switch context:

    kubectl config set-context --current --user=<serviceaccount_name>
  8. Check for functionality — make any request to the Kubernetes API. For example, query for a list of cluster nodes:

    kubectl get nodes
  9. The updated kubeconfig file will be located in the $HOME/.kube/config home directory.