Update certificates for system components in a Managed Kubernetes cluster

Last update: May 30 2026

To interact, Kubernetes system components require valid certificates. They are updated automatically every 30 days. If an error occurs during the certificate update, you can update the certificates in the Control panel or via the Managed Kubernetes API.

Information about certificate updates is reflected in the cluster logs.

Every time certificates are updated, the kubeconfig file changes, therefore you need to reconnect to the cluster. To avoid reconnecting, configure updates via a ServiceAccount Token.

Update certificates when an error occurs

If an error ROTATE CERTS = ERROR occurred during the automatic certificate update, you can update the certificates in the Control panel or via the Managed Kubernetes API.

1. In the Control panel, on the top menu, click Products and select Managed Kubernetes.
2. Open the cluster page → Settings tab.
3. In the Cluster access block, click Update certificates.
4. Reconnect to the cluster.

Configure certificate updates via ServiceAccount Token

A ServiceAccount Token is a way to authorize in the Kubernetes API. It allows you not to update the kubeconfig file after every certificate update.

The process of obtaining a ServiceAccount Token depends on the Kubernetes version:

• for Kubernetes version 1.23 and lower;
• for Kubernetes version 1.24 and higher.

For Kubernetes version 1.23 and lower

Linux

1. Create a ServiceAccount:

   kubectl -n kube-system create serviceaccount <serviceaccount_name>

   Specify <serviceaccount_name> — the name of the service account.

2. Create a ClusterRoleBinding (a group for the new user) and add a role with administrator rights (cluster-admin):

   kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>

   Specify <clusterrolebinding_name> — the name of the group for the new user.

3. Add the name of the secret of the created ServiceAccount that stores the token to the TOKENNAME environment variable:

   export TOKENNAME=$(kubectl -n kube-system get serviceaccount/<serviceaccount_name> -o jsonpath='{.secrets[0].name}')

4. Add the decoded token from the secret to the TOKEN environment variable:

   export TOKEN=$(kubectl -n kube-system get secret $TOKENNAME -o jsonpath='{.data.token}' | base64 --decode)

5. Check if the token works — make a request to the Kubernetes API with the token in the header:

   curl -k -H "Authorization: Bearer $TOKEN" -X GET "https://<kube_api_ip>:6443/api/v1/nodes" | json_pp

   Specify <kube_api_ip> — the cluster IP address in the Control panel.

6. Add the ServiceAccount to the kubeconfig file:

   kubectl config set-credentials <serviceaccount_name> --token=$TOKEN

7. Switch the context:

   kubectl config set-context --current --user=<serviceaccount_name>

8. Check if it works — make any request to the Kubernetes API. For example, request a list of cluster nodes:

   kubectl get nodes

9. The updated kubeconfig file will be located in the $HOME/.kube/config home directory

Windows

1. Run PowerShell as an administrator.

2. Create a ServiceAccount:

   kubectl -n kube-system create serviceaccount <serviceaccount_name>

   Specify <serviceaccount_name> — the name of the service account.

3. Create a ClusterRoleBinding (a group for the new user) and add a role with administrator rights (cluster-admin):

   kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>

   Specify <clusterrolebinding_name> — the name of the group for the new user.

4. Get the name of the secret of the created ServiceAccount that stores the token:

   $env:token_name = kubectl -n kube-system get serviceaccount/<serviceaccount_name> -o jsonpath='{.secrets[0].name}'

5. Add the decoded token from the secret to the token variable:

   $env:token = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((kubectl -n kube-system get secret $token_name -o jsonpath='{.data.token}')))

6. Add the ServiceAccount to the kubeconfig file:

   kubectl config set-credentials <serviceaccount_name> --token=$token

7. Switch the context:

   kubectl config set-context --current --user=<serviceaccount_name>

8. Check if it works — make any request to the Kubernetes API. For example, request a list of cluster nodes:

   kubectl get nodes

9. The updated kubeconfig file will be located in the $env:USERPROFILE/.kube/config home directory

For Kubernetes version 1.24 and higher

Linux

1. Create a ServiceAccount:

   kubectl -n kube-system create serviceaccount <serviceaccount_name>

   Specify <serviceaccount_name> — the service account name.

2. Create a ClusterRoleBinding (a group for the new user) and add a role with administrator rights (cluster-admin):

   kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>

   Specify <clusterrolebinding_name> — the group name for the new user.

3. Get the name of the secret of the created ServiceAccount that stores the token:

   kubectl -n kube-system apply -f - <<EOF
   apiVersion: v1
   kind: Secret
   metadata:
     name: <serviceaccount_name>-token
     annotations:
       kubernetes.io/service-account.name: <serviceaccount_name>
   type: kubernetes.io/service-account-token
   EOF

4. Add the decoded token from the secret to the TOKEN environment variable:

   export TOKEN=$(kubectl -n kube-system get secret <serviceaccount_name>-token -o jsonpath='{.data.token}' | base64 --decode)

5. Check if the token works — make a request to the Kubernetes API with the token in the header:

   curl -k -H "Authorization: Bearer $TOKEN" -X GET "https://<kube_api_ip>:6443/api/v1/nodes" | json_pp

   Specify <kube_api_ip> — the cluster IP address in the Control panel.

6. Add the ServiceAccount to the kubeconfig file:

   kubectl config set-credentials <serviceaccount_name> --token=$TOKEN

7. Switch the context:

   kubectl config set-context --current --user=<serviceaccount_name>

8. Check if it works — make any request to the Kubernetes API. For example, request a list of cluster nodes:

   kubectl get nodes

9. The updated kubeconfig file will be located in the $HOME/.kube/config home directory

Windows

1. Run PowerShell as an administrator.

2. Create a ServiceAccount:

   kubectl -n kube-system create serviceaccount <serviceaccount_name>

   Specify <serviceaccount_name> — the service account name.

3. Create a ClusterRoleBinding (a group for the new user) and add a role with administrator rights (cluster-admin):

   kubectl create clusterrolebinding <clusterrolebinding_name> --clusterrole=cluster-admin --serviceaccount=kube-system:<serviceaccount_name>

   Specify <clusterrolebinding_name> — the group name for the new user.

4. Get the name of the secret of the created ServiceAccount that stores the token:

   @"
   apiVersion: v1
   kind: Secret
   metadata:
     name: <serviceaccount_name>-token
     annotations:
       kubernetes.io/service-account.name: <serviceaccount_name>
   type: kubernetes.io/service-account-token
   "@ | kubectl -n kube-system apply -f -

5. Add the decoded token from the secret to the TOKEN environment variable:

   $env:token = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((kubectl -n kube-system get secret <serviceaccount_name>-token -o jsonpath='{.data.token}')))

6. Add the ServiceAccount to the kubeconfig file:

   kubectl config set-credentials <serviceaccount_name> --token=$token

7. Switch the context:

   kubectl config set-context --current --user=<serviceaccount_name>

8. Check if it works — make any request to the Kubernetes API. For example, request a list of cluster nodes:

   kubectl get nodes

9. The updated kubeconfig file will be located in the $env:USERPROFILE/.kube/config home directory