Hi, Thank you very much for you help. I have created my own kubernetes cluster with Kubeadm to learn. I think it is the best way. My certificates were expired and I have regenerated them, created a new kubeconfig file but I created a new namespace, it couldn't automatically create service account named default. Thanks to you, I stopped and deleted pods and it worked
That time when your production cluster start sending erros because all of the cluster certificates go expired and you dont know what to do (because it's not documented). Great video Venkat as always ! (wish this video was released a couple of years ago) :D !
Thanx a lot Venkat! Your video are usefull as always. About year ago I was faced a problem with renewing certs. Our team using kubernetes 1.15 and it was difficult to find correct command for renewing, by the way if someone faced such problem you should use "kubeadm alpha phase certs ..." and "kubeadm alpha phase kubeconfig all...", all other steps should be simular as in this video. Vankat, will be awesome if you record video how to renew certs in rancher, because then happens "TLS handshake error" we delete rancher and install it again. Anyway Thanx a lot, U are best!!!
The same happend to me, you need to re create all that certificates and it was hard to replicate to do in production... theres is a video with a demostration in youtube ( in one of the kubecons) that explains how to do it (and the example is in KinD)
Hey, thanks a ton for such a great video! One quick q I had: I was trying to invalidate a previously shared kubeconfig file by generating or renewing new certificate for a KOPS managed K8S cluster in AWS. I learnt that there is no way to do this without rotating (Redeploying) the master nodes of the cluster with kops. Is there any other way to regenerate the 'client-certificate-data' and 'client-key-data' present in the existing kubeconfig with new keypair? and will that be enough to secure the cluster without regenerating 'certificate-authority-data' ? In any case I don't want to redeploy the control plane of the cluster as I'm using this in production and I just want to invalidate the kubeconfig which is shared with different users
Hello, Your video was very helpful, -- Just want to understand will there be any downtime while renewing these certificates? Will any cronjob be affected while this renewal process. -- Is there any possibility where we can generate an new self-signed certificate with 5 years expiry for the same ?
Video is very helpful and informative. Can you also create video on Kubelet client certificate and server certificate auto rotatation especially on worker nodes
Hi - Thanks for making this video. What do we need to do on the worker node? I was able to renew the certs on the control plane node but I am confused about the worker node.
Can you please help how to use cert manager to renew k8s certificates automatically instead using manuall process , can you make a video on that which helps a lot
You re mixing terms.... Certmanager issues external certs ( your privates and letsencrypt) all the certs inside the cluster, who connect all services and nodes, are self signed and issued by kubeadm. If you update your nodes once a year, kubeadm do it for you (since 1.17 version) or you can use alpha certs (and i cant remember all the command) to do it.
Hi Venkat , i think TLS bootstrapping of kubelet also needs to be done. The kubelet certs also expires. Also Kube-proxy . Do you think those need to added in this video?
Hi , This video is really helpful in renewing certificate manually. A request- Would it be possible for you to make a video for Kubernetes audit policy ..I mean how we can implement minimal audit policy in order to fetch metadata level logs only.
Suppose we have deploy some of the application in single master k8s, and all the information is saved in etcd, what wil happen if I restart the etcd by deleting the pod?
Hi Amit, thanks for watching. In my case, the etcd running on that single master node had hostpath /var/lib/etcd bound to it. So restarting the container wouldn't cause any data loss. Take a look at the output of the below command kubectl -n kube-system get pod etcd-kmaster -o yaml Check the volume section.
Hello Can you make videos on argocd image updater as usecase whenever new image pushes to docker hub using Jenkins so argocd image updater look this new image and create pod with latest image tag which is push on docker hub and delete old pods?
Do I need to delete and apply all of my deployed application containers not in Namespace-kube-system? What about other service namespace conatiners like MetalLB?
Hello, We have k8s version 1.20.1 and have renewed all the cluster certificates as the cluster was not accessible due to certs expiration. But post performing kubeadm certa renew all command, the vluster is now accessible but pods are going into Pending state and gives logs in events 'x509: certificate has expired or is not yet valid' How to bring back cluster to working state, please help.
Hi Ahmed, when you upgrade your cluster with kubespray upgrade.yml, the certificates will automatically be renewed. I haven't tried renewing certificates when they are already expired. People have found some hacks to do that but I don't think there was any mention of this in official documentation.
Hi i am getting this issue while certificate renewal # kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf unknown flag: --client-name To see the stack trace of this error execute with --v=5 or higher please help
![[ Kube 105.1 ] Kubernetes HA | Renew cluster certificates with Kubeadm](http://i.ytimg.com/vi/Qzp_gSDCuuU/mqdefault.jpg)
![[ Kube 105.1 ] Kubernetes HA | Renew cluster certificates with Kubeadm](/img/tr.png)
Hi,
Thank you very much for you help.
I have created my own kubernetes cluster with Kubeadm to learn.
I think it is the best way.
My certificates were expired and I have regenerated them, created a new kubeconfig file but I created a new namespace, it couldn't automatically create service account named default.
Thanks to you, I stopped and deleted pods and it worked
Hi Anthony, Thanks for watching.
That time when your production cluster start sending erros because all of the cluster certificates go expired and you dont know what to do (because it's not documented). Great video Venkat as always ! (wish this video was released a couple of years ago) :D !
Hi Gonzalo, thanks for watching. Cheers.
Great tutorial. Thank you for accepting my request. Very helpful!
No worries. Thanks for watching Joash. Cheers.
@@justmeandopensource I have a question. If it's multi master, do I need to renew all the certs or I transfer the certs to the other masters?
Very helpful! Thank you
Thanks for watching Chinglong. Cheers.
Thanks you 🙏
Thanks for watching.
as always great tutorial!!!
Thanks for watching. Cheers
Thanx a lot Venkat! Your video are usefull as always. About year ago I was faced a problem with renewing certs. Our team using kubernetes 1.15 and it was difficult to find correct command for renewing, by the way if someone faced such problem you should use "kubeadm alpha phase certs ..." and "kubeadm alpha phase kubeconfig all...", all other steps should be simular as in this video. Vankat, will be awesome if you record video how to renew certs in rancher, because then happens "TLS handshake error" we delete rancher and install it again.
Anyway Thanx a lot, U are best!!!
The same happend to me, you need to re create all that certificates and it was hard to replicate to do in production... theres is a video with a demostration in youtube ( in one of the kubecons) that explains how to do it (and the example is in KinD)
Thanks for jumping in. I will see if I can test this.
thank you
You are welcome and Thanks for watching.
Thanks a lot for your videos. I would love to see a video about smallstep
auto renewal of certificates intergrated with traefik
Hey, thanks a ton for such a great video! One quick q I had: I was trying to invalidate a previously shared kubeconfig file by generating or renewing new certificate for a KOPS managed K8S cluster in AWS. I learnt that there is no way to do this without rotating (Redeploying) the master nodes of the cluster with kops. Is there any other way to regenerate the 'client-certificate-data' and 'client-key-data' present in the existing kubeconfig with new keypair? and will that be enough to secure the cluster without regenerating 'certificate-authority-data' ? In any case I don't want to redeploy the control plane of the cluster as I'm using this in production and I just want to invalidate the kubeconfig which is shared with different users
Hello, Your video was very helpful,
-- Just want to understand will there be any downtime while renewing these certificates? Will any cronjob be affected while this renewal process.
-- Is there any possibility where we can generate an new self-signed certificate with 5 years expiry for the same ?
Hi, Nice video. Thank you. I wanted to know how we can renew the certificate for 10 years. Is there any straight forward way to do that?
Video is very helpful and informative. Can you also create video on Kubelet client certificate and server certificate auto rotatation especially on worker nodes
Hi - Thanks for making this video.
What do we need to do on the worker node? I was able to renew the certs on the control plane node but I am confused about the worker node.
Can you please help how to use cert manager to renew k8s certificates automatically instead using manuall process , can you make a video on that which helps a lot
You re mixing terms.... Certmanager issues external certs ( your privates and letsencrypt) all the certs inside the cluster, who connect all services and nodes, are self signed and issued by kubeadm. If you update your nodes once a year, kubeadm do it for you (since 1.17 version) or you can use alpha certs (and i cant remember all the command) to do it.
Hi Gonzalo, thanks for explaining stuff.
How to renew certificate when two or more master node in HA? Please make the turorial
I will see. Cheers.
@@justmeandopensource thanks sir
@@dharmaputra7394 You are welcome.
Its not diferent like Venkat says, because the kubeadm config yaml points to the ha balancer (the api k8s config)
How can we do this operation on a production system? Do these operations you did in the tutorial cause the node to be NotReady status?
Hi Venkat , i think TLS bootstrapping of kubelet also needs to be done. The kubelet certs also expires. Also Kube-proxy . Do you think those need to added in this video?
Hi, certs for kubelet are not managed by kubeadm tool. They will be under /var/lib/kubelet/pki I guess.
Will it cause any data loss if we restart the container? Can you tell me how to take backup inside the vm for any container?
Hi ,
This video is really helpful in renewing certificate manually.
A request- Would it be possible for you to make a video for Kubernetes audit policy ..I mean how we can implement minimal audit policy in order to fetch metadata level logs only.
Hello, can we not reload the kubelet for the changes of the static pods to take effect?
Hi , Thanks for watching. Just restarting kubelet won’t restart the pods most of the time. Have you tried doing that?
@@justmeandopensource thank you for your content it's really great, the reload does not work but a restart of kubelet does.
Suppose we have deploy some of the application in single master k8s, and all the information is saved in etcd, what wil happen if I restart the etcd by deleting the pod?
Hi Amit, thanks for watching.
In my case, the etcd running on that single master node had hostpath /var/lib/etcd bound to it. So restarting the container wouldn't cause any data loss.
Take a look at the output of the below command
kubectl -n kube-system get pod etcd-kmaster -o yaml
Check the volume section.
Hi venkat , we are using kops 1.18 , need to rotate cluster certs , is that any way to do it ?
Hello
Can you make videos on argocd image updater as usecase whenever new image pushes to docker hub using Jenkins so argocd image updater look this new image and create pod with latest image tag which is push on docker hub and delete old pods?
Do I need to delete and apply all of my deployed application containers not in Namespace-kube-system? What about other service namespace conatiners like MetalLB?
Hello,
We have k8s version 1.20.1 and have renewed all the cluster certificates as the cluster was not accessible due to certs expiration. But post performing kubeadm certa renew all command, the vluster is now accessible but pods are going into Pending state and gives logs in events 'x509: certificate has expired or is not yet valid'
How to bring back cluster to working state, please help.
Hey man, I tested the command `kubectl delete pods -n kube-system "some-pod"` and it worked. Is it maybe an issue with previous versions (using 1.21)?
how to renew with kubespray
Hi Ahmed, when you upgrade your cluster with kubespray upgrade.yml, the certificates will automatically be renewed. I haven't tried renewing certificates when they are already expired. People have found some hacks to do that but I don't think there was any mention of this in official documentation.
Hi i am getting this issue while certificate renewal
# kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf
unknown flag: --client-name
To see the stack trace of this error execute with --v=5 or higher
please help