How do I set the certificate for k8s to more than 1 year? [closed]

Question

I'm a novice k8s engineer. Until now, I have managed the k8s certificate by manually renewing it once a year.

However, I became curious about how to set the certificates below for more than 1 year in the first place.

[root@master ~]# kubeadm alpha certs check-expiration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
admin.conf                 May 21, 2022 01:29 UTC   311d            no      
apiserver                  May 21, 2022 01:29 UTC   311d            no      
apiserver-etcd-client      May 21, 2022 01:29 UTC   311d            no      
apiserver-kubelet-client   May 21, 2022 01:29 UTC   311d            no      
controller-manager.conf    May 21, 2022 01:29 UTC   311d            no      
etcd-healthcheck-client    May 21, 2022 01:29 UTC   311d            no      
etcd-peer                  May 21, 2022 01:29 UTC   311d            no      
etcd-server                May 21, 2022 01:29 UTC   311d            no      
front-proxy-client         May 21, 2022 01:29 UTC   311d            no      
scheduler.conf             May 21, 2022 01:29 UTC   311d            no      

Can these certificates be extended by more than a year? (nearly 10 years..?)

k8s version is 1.16

I can use a private certificate. It doesn't matter which way. (There is a limit to searching because I am not good at English.)

Please tell me how to renew the K8s certificate(api..) only once every 10 years!

Answer 1

It is not recommended to have the certificates for more than one year. Kubernetes provides hassle-free way to create and renew certs every one year. Kubernetes Certificates Since you need it for some special requirement:

• Check certs expiration
• Back up the existing Kubernetes certificates. Backup all the certs in the pki dir to somewhere safe and controlled access.
• Backup the existing and necessary configurtion files
• Add --cluster-signing-duration flag for kube-controller-manager. kubernetes doc for signing duration

Edit /etc/kubernetes/manifests/kube-controller-manager.yaml

 apiVersion: v1
 kind: Pod
 metadata:
  ...
   name: kube-controller-manager
   namespace: kube-system
 spec:
   containers:
   - command:
     - kube-controller-manager
     ...
     - --experimental-cluster-signing-duration=87600h
     ...
 ...

87600h ~ 10 years

• Renew all certs kubeadm alpha certs renew all --config /etc/kubernetes/kubeadm-config.yaml

• Follow the CSR request and approve method.

• Restart the necessary componenets like etcd, kube-apiserver, kube-scheduler , controller, kubelet

• Check the new cert expiry

Please follow this in the test lab scenario before doing on any prod envs while the clusters are running