Skip to content
This repository has been archived by the owner on Jun 6, 2024. It is now read-only.

K8s API server's cert need renew each year #5334

Open
1 of 2 tasks
yiyione opened this issue Mar 2, 2021 · 2 comments
Open
1 of 2 tasks

K8s API server's cert need renew each year #5334

yiyione opened this issue Mar 2, 2021 · 2 comments

Comments

@yiyione
Copy link
Contributor

yiyione commented Mar 2, 2021

The k8s API server's cert will expire every year, and will cause OpenPAI cluster not available.
Certificate Management with kubeadm:
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#automatic-certificate-renewal

image

How to fix

  1. renew k8s cert
  2. upgrade the kube-config in all worker nodes

Todo

  • Document this requirement in the repo
  • Add warning for the cert expire
@Binyang2014
Copy link
Contributor

refer: kubernetes/kubeadm#581 (comment)

@yiyione
Copy link
Contributor Author

yiyione commented Apr 8, 2021

Test case:

  1. setup the alert-manager to enable the email-admin action (change the admin-receiver to a test address)
  2. change the schedule and alert-residual-days in alert-manager.cert-expiration-checker from services-configuration.yaml to trigger the alert:
    cert-expiration-checker:
      schedule: '* * * * *' # every minute
      alert-residual-days: 365 # always trigger
      cert-path: '/etc/kubernetes/ssl' # the k8s cert path in master node
  3. use kubectl get pods to check whether the cert-expiration-checker cronjob be triggered
  4. check the alert email or the logs from alert handler.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

2 participants