By default, Kubernetes certificates need to be renewed every other year, and the following is a documented certificate renewal process.

1. View Certificate

Check the certificate expiration time on the Master node:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
kubeadm certs check-expiration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Apr 02, 2023 09:53 UTC   296d                                    no      
apiserver                  Apr 02, 2023 09:53 UTC   296d            ca                      no      
apiserver-kubelet-client   Apr 02, 2023 09:53 UTC   296d            ca                      no      
controller-manager.conf    Apr 02, 2023 09:53 UTC   296d                                    no      
front-proxy-client         Apr 02, 2023 09:53 UTC   296d            front-proxy-ca          no      
scheduler.conf             Apr 02, 2023 09:53 UTC   296d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 30, 2032 09:53 UTC   9y              no      
front-proxy-ca          Mar 30, 2032 09:53 UTC   9y              no      

Here you can directly backup the entire Kubernetes configuration file

1
cp -r /etc/kubernetes /etc/kubernetes.old

3. Execute the command on each Master node to update the certificate

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
kubeadm certs renew all

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

4. Restart the relevant services on each Master node

1
docker ps |egrep "k8s_kube-apiserver|k8s_kube-scheduler|k8s_kube-controller"|awk '{print $1}'|xargs docker restart

5. Update ~/.kube/config file

1
2
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config