Skip to content

Commit f9e113f

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #38353 from SergeyKanzhelev/RotateKubeletClientCertificateIsGA
fix documentation for RotateKubeletClientCertificate
2 parents 33248dd + ab48121 commit f9e113f

File tree

1 file changed

+12
-10
lines changed

1 file changed

+12
-10
lines changed

content/en/docs/reference/access-authn-authz/kubelet-tls-bootstrapping.md

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -404,23 +404,25 @@ However, you _can_ enable its server certificate, at least partially, via certif
404404

405405
### Certificate Rotation
406406

407-
Kubernetes v1.8 and higher kubelet implements __beta__ features for enabling
408-
rotation of its client and/or serving certificates. These can be enabled through
409-
the respective `RotateKubeletClientCertificate` and
410-
`RotateKubeletServerCertificate` feature flags on the kubelet and are enabled by
411-
default.
407+
Kubernetes v1.8 and higher kubelet implements features for enabling
408+
rotation of its client and/or serving certificates. Note, rotation of serving
409+
certificate is a __beta__ feature and requires the `RotateKubeletServerCertificate`
410+
feature flag on the kubelet (enabled by default).
412411

413-
`RotateKubeletClientCertificate` causes the kubelet to rotate its client
414-
certificates by creating new CSRs as its existing credentials expire. To enable
415-
this feature pass the following flag to the kubelet:
412+
You can configure the kubelet to rotate its client certificates by creating new CSRs
413+
as its existing credentials expire. To enable this feature, use the `rotateCertificates`
414+
field of [kubelet configuration file](/docs/tasks/administer-cluster/kubelet-config-file/)
415+
or pass the following command line argument to the kubelet (deprecated):
416416

417417
```
418418
--rotate-certificates
419419
```
420420

421-
`RotateKubeletServerCertificate` causes the kubelet **both** to request a serving
421+
Enabling `RotateKubeletServerCertificate` causes the kubelet **both** to request a serving
422422
certificate after bootstrapping its client credentials **and** to rotate that
423-
certificate. To enable this feature pass the following flag to the kubelet:
423+
certificate. To enable this behavior, use the field `serverTLSBootstrap` of
424+
the [kubelet configuration file](/docs/tasks/administer-cluster/kubelet-config-file/)
425+
or pass the following command line argument to the kubelet (deprecated):
424426

425427
```
426428
--rotate-server-certificates

0 commit comments

Comments
 (0)