After a year the TLS certificates on your cluster will expire this is because the job of the certificates is to establish a two way trust and if expired that trust is no longer valid, , when this happens you will see the following error message if you try to communicate with it:
Unable to connect to the server: x509: certificate has expired or is not yet valid: <timestamp here>The next step is to renew these certificates to restore communication you can do this with kubeadm. So issue the following command:
sudo kubeadm alpha certs renew allYou will then get output which looks something like this as the certificates are renewed:
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewedKubernetes will then output that you need to restart api-server, controller-manager and kubelet so they can use the new certificates you have created, the quickest (and dirtiest) way in a simple home lab cluster to do this is to reboot the control plane. Before you restart you need to manage the configuration so backup the old one if you like then issue the following command.
sudo cp /etc/kubernetes/admin.conf ~/.kube/configNow restart your control plane node(s). Upon reboot you should find that after the cluster settles you are able to check the current certificates with:
sudo kubeadm certs check-expiration
Which would yield output like this:
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Feb 16, 2024 12:16 UTC 364d no apiserver Feb 16, 2024 12:16 UTC 364d ca no apiserver-etcd-client Feb 16, 2024 12:16 UTC 364d etcd-ca no apiserver-kubelet-client Feb 16, 2024 12:17 UTC 364d ca no controller-manager.conf Feb 16, 2024 12:17 UTC 364d no etcd-healthcheck-client Feb 16, 2024 12:17 UTC 364d etcd-ca no etcd-peer Feb 16, 2024 12:17 UTC 364d etcd-ca no etcd-server Feb 16, 2024 12:17 UTC 364d etcd-ca no front-proxy-client Feb 16, 2024 12:17 UTC 364d front-proxy-ca no scheduler.conf Feb 16, 2024 12:17 UTC 364d no
Arguably you should be doing this before your certs expire to not loose communication but the process is the same for renewal.
If you prefer not to reboot, which admittedly is the dirty way to do this, you can restart the kubelet on the master node, as a note the kube-apiserver runs as a static pod.
system restart kubeletWhen you issue that command all of the kube-<name> services should restart.