You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: security/certificate_types_descriptions/node-certificates.adoc
+20-1Lines changed: 20 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,12 +8,31 @@ toc::[]
8
8
9
9
== Purpose
10
10
11
-
Node certificates are signed by the cluster; they come from a certificate authority (CA) that is generated by the bootstrap process. After the cluster is installed, the node certificates are auto-rotated.
11
+
Node certificates are signed by the cluster and allow the kubelet to communicate with the Kubernetes API server. They come from the kubelet CA certificate, which is generated by the bootstrap process.
12
+
13
+
== Location
14
+
15
+
The kubelet CA certificate is located in the `kube-apiserver-to-kubelet-signer` secret in the `openshift-kube-apiserver-operator` namespace.
12
16
13
17
== Management
14
18
15
19
These certificates are managed by the system and not the user.
16
20
21
+
== Expiration
22
+
23
+
Node certificates are automatically rotated after 292 days and expire after 365 days.
24
+
25
+
== Renewal
26
+
27
+
The Kubernetes API Server Operator automatically generates a new `kube-apiserver-to-kubelet-signer` CA certificate at 292 days. The old CA certificate is removed after 365 days. Nodes are not rebooted when a kubelet CA certificate is renewed or removed.
28
+
29
+
Cluster administrators can manually renew the kubelet CA certificate by running the following command:
0 commit comments