Renewing Kubernetes control plane certificates | Docs

Kubernetes control plane certificates expire after one year by default. This guide covers how to renew them on each control plane node using kubeadm.

[ Prerequisites ]

SSH access to each control plane node
kubeadm installed on the node
Sufficient permissions to run sudo commands

Run these steps on each control plane node individually. Restarting kubelet will briefly interrupt the API server on that node.

Check certificate expiration

Before renewing, confirm which certificates are expiring:

bash

sudo kubeadm certs check-expiration

The output lists each certificate alongside its expiration date and the certificate authority that signed it.

Renew all certificates

bash

sudo kubeadm certs renew all

This renews all certificates managed by kubeadm, including the API server, controller manager, scheduler, and etcd certificates.

Restart kubelet

bash

sudo systemctl restart kubelet

The kubelet must be restarted to pick up the renewed certificates.

Verify the renewal

Run the expiration check again to confirm new expiry dates:

bash

sudo kubeadm certs check-expiration

All certificates should now show an expiration date approximately one year from today.

Update your local kubeconfig

After renewing, copy the updated admin config to your home directory:

bash

sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

Confirm the cluster is back online

bash

kubectl get namespaces
kubectl get nodes
kubectl get pods -A

All nodes should show Ready and system pods should be Running or Completed.