kubeadm: support rotation of etcd certs even if etcd is not upgraded #2989
Comments
k8s-ci-robot
added
needs-sig
|
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/sig api-machinery |
k8s-ci-robot
added
sig/api-machinery
|
/transfer kubeadm |
neolit123
added
priority/awaiting-more-evidence
yes, kubeadm upgrade does not rotate etcd certs if etcd is not upgraded. you could manually force renewal with EDIT: also if you upgrade more often, etcd certs will be rotated. k8s releases every 4 months and etcd versions are definitely upgraded them. etcd PATCH versions are also sometimes updated on k8s PATCH version. |
neolit123
added
kind/feature
|
i think this is the ~3rd time i see confusing around the kubeadm upgrade behavior of etcd and certs rotation, so i'm tagging this as a feature request. |
hm, i probably should not have transferred this to the kubeadm repository as the log problem is indeed an api-server / api-machinery one. you could log the k/k ticket again, but copying your description and we can repurpose this ticket here to investigate if we can rotate etcd certs on upgrade if other certs are rotated, or ... just update docs why this happens. https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/ |
neolit123
changed the title
+1 for A) as we mentioned this in the doc 😄 Another choice may be adding a preflight check(error or warning) for cert expire when you run BTW, do we have a suggestion about how many months before expire users should renew certs? |
exactly, this tells us that @KlavsKlavsen did no upgrade their cluster on time - i.e. at least once a year.
i was under the impression that we have docs that etcd cert rotation is skipped if etcd upgrade is skipped.
it could be added as something that "upgrade plan" does.
the kubelet also has one year client certs (by default, with 1024 byte keys, RSA), that it rotates if ~80% of the time in one year has passed - i.e. ~ 0.8 * 365 days |
|
we seem to have some agreement that this is a desired change in kubeadm. |
neolit123
added
help wanted
What happened?
our kube-apiserver just started failing to start.. The log from containerd only says:
2023-12-16T07:35:01.426019865+01:00 stderr F }. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2023-12-16T06:35:01Z is after 2023-12-03T03:37:19Z"
we checked apiserver certs etc. -and they were all fine.
We finally checked etcd endpoint - and that had an old cert (which for some reason was not updated with kubeadm update
kubeadm certs check-expiration had the details - but IMHO kubeadm k8s update SHOULD look at certs expiration and renew them all - instead of only renewing etcd certs IF there's an update for it.
What did you expect to happen?
a logmessage that told me which endpoint had the bad cert and details about cert.
We had updated using kubeadm and it renewed certs - but appearently it does not renew etcd certs - if there is no update of that component - which surprised us - as we thought it renewed all certs for cluster on upgrades :(
How can we reproduce it (as minimally and precisely as possible)?
update via kubeadm so etcd certs are not being renewed and "adjust OS time" - so etcd certs are expired but rest are not.
Anything else we need to know?
No response
Kubernetes version
Server Version: v1.26.4
we'll update soon (above might have been fixed in newer version?)
Cloud provider
Hetzner physical server
OS version
Ubuntu 22.04
Install tools
Container runtime (CRI) and version (if applicable)
Related plugins (CNI, CSI, ...) and versions (if applicable)
The text was updated successfully, but these errors were encountered: