kubeadm certs

kubeadm certs provides utilities for managing certificates. For more details on how these commands can be used, see Certificate Management with kubeadm.

kubeadm certs

A collection of operations for operating Kubernetes certificates.

Commands related to handling kubernetes certificates

Synopsis

Commands related to handling kubernetes certificates

  1. kubeadm certs [flags]

Options

-h, —help

help for certs

Options inherited from parent commands

—rootfs string

[EXPERIMENTAL] The path to the ‘real’ host root filesystem.

kubeadm certs renew

You can renew all Kubernetes certificates using the all subcommand or renew them selectively. For more details see Manual certificate renewal.

Renew certificates for a Kubernetes cluster

Synopsis

This command is not meant to be run on its own. See list of available subcommands.

  1. kubeadm certs renew [flags]

Options

-h, —help

help for renew

Options inherited from parent commands

—rootfs string

[EXPERIMENTAL] The path to the ‘real’ host root filesystem.

Renew all available certificates

Synopsis

Renew all known certificates necessary to run the control plane. Renewals are run unconditionally, regardless of expiration date. Renewals can also be run individually for more control.

  1. kubeadm certs renew all [flags]

Options

—cert-dir string     Default: “/etc/kubernetes/pki”

The path where to save the certificates

—config string

Path to a kubeadm configuration file.

-h, —help

help for all

—kubeconfig string     Default: “/etc/kubernetes/admin.conf”

The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.

Options inherited from parent commands

—rootfs string

[EXPERIMENTAL] The path to the ‘real’ host root filesystem.

Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself

Synopsis

Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself.

Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

  1. kubeadm certs renew admin.conf [flags]

Options

—cert-dir string     Default: “/etc/kubernetes/pki”

The path where to save the certificates

—config string

Path to a kubeadm configuration file.

-h, —help

help for admin.conf

—kubeconfig string     Default: “/etc/kubernetes/admin.conf”

The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.

Options inherited from parent commands

—rootfs string

[EXPERIMENTAL] The path to the ‘real’ host root filesystem.

Renew the certificate the apiserver uses to access etcd

Synopsis

Renew the certificate the apiserver uses to access etcd.

Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

  1. kubeadm certs renew apiserver-etcd-client [flags]

Options

—cert-dir string     Default: “/etc/kubernetes/pki”

The path where to save the certificates

—config string

Path to a kubeadm configuration file.

-h, —help

help for apiserver-etcd-client

—kubeconfig string     Default: “/etc/kubernetes/admin.conf”

The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.

Options inherited from parent commands

—rootfs string

[EXPERIMENTAL] The path to the ‘real’ host root filesystem.

Renew the certificate for the API server to connect to kubelet

Synopsis

Renew the certificate for the API server to connect to kubelet.

Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

  1. kubeadm certs renew apiserver-kubelet-client [flags]

Options

—cert-dir string     Default: “/etc/kubernetes/pki”

The path where to save the certificates

—config string

Path to a kubeadm configuration file.

-h, —help

help for apiserver-kubelet-client

—kubeconfig string     Default: “/etc/kubernetes/admin.conf”

The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.

Options inherited from parent commands

—rootfs string

[EXPERIMENTAL] The path to the ‘real’ host root filesystem.

Renew the certificate for serving the Kubernetes API

Synopsis

Renew the certificate for serving the Kubernetes API.

Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

  1. kubeadm certs renew apiserver [flags]

Options

—cert-dir string     Default: “/etc/kubernetes/pki”

The path where to save the certificates

—config string

Path to a kubeadm configuration file.

-h, —help

help for apiserver

—kubeconfig string     Default: “/etc/kubernetes/admin.conf”

The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.

Options inherited from parent commands

—rootfs string

[EXPERIMENTAL] The path to the ‘real’ host root filesystem.

Renew the certificate embedded in the kubeconfig file for the controller manager to use

Synopsis

Renew the certificate embedded in the kubeconfig file for the controller manager to use.

Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

  1. kubeadm certs renew controller-manager.conf [flags]

Options

—cert-dir string     Default: “/etc/kubernetes/pki”

The path where to save the certificates

—config string

Path to a kubeadm configuration file.

-h, —help

help for controller-manager.conf

—kubeconfig string     Default: “/etc/kubernetes/admin.conf”

The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.

Options inherited from parent commands

—rootfs string

[EXPERIMENTAL] The path to the ‘real’ host root filesystem.

Renew the certificate for liveness probes to healthcheck etcd

Synopsis

Renew the certificate for liveness probes to healthcheck etcd.

Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

  1. kubeadm certs renew etcd-healthcheck-client [flags]

Options

—cert-dir string     Default: “/etc/kubernetes/pki”

The path where to save the certificates

—config string

Path to a kubeadm configuration file.

-h, —help

help for etcd-healthcheck-client

—kubeconfig string     Default: “/etc/kubernetes/admin.conf”

The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.

Options inherited from parent commands

—rootfs string

[EXPERIMENTAL] The path to the ‘real’ host root filesystem.

Renew the certificate for etcd nodes to communicate with each other

Synopsis

Renew the certificate for etcd nodes to communicate with each other.

Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

  1. kubeadm certs renew etcd-peer [flags]

Options

—cert-dir string     Default: “/etc/kubernetes/pki”

The path where to save the certificates

—config string

Path to a kubeadm configuration file.

-h, —help

help for etcd-peer

—kubeconfig string     Default: “/etc/kubernetes/admin.conf”

The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.

Options inherited from parent commands

—rootfs string

[EXPERIMENTAL] The path to the ‘real’ host root filesystem.

Renew the certificate for serving etcd

Synopsis

Renew the certificate for serving etcd.

Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

  1. kubeadm certs renew etcd-server [flags]

Options

—cert-dir string     Default: “/etc/kubernetes/pki”

The path where to save the certificates

—config string

Path to a kubeadm configuration file.

-h, —help

help for etcd-server

—kubeconfig string     Default: “/etc/kubernetes/admin.conf”

The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.

Options inherited from parent commands

—rootfs string

[EXPERIMENTAL] The path to the ‘real’ host root filesystem.

Renew the certificate for the front proxy client

Synopsis

Renew the certificate for the front proxy client.

Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

  1. kubeadm certs renew front-proxy-client [flags]

Options

—cert-dir string     Default: “/etc/kubernetes/pki”

The path where to save the certificates

—config string

Path to a kubeadm configuration file.

-h, —help

help for front-proxy-client

—kubeconfig string     Default: “/etc/kubernetes/admin.conf”

The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.

Options inherited from parent commands

—rootfs string

[EXPERIMENTAL] The path to the ‘real’ host root filesystem.

Renew the certificate embedded in the kubeconfig file for the scheduler manager to use

Synopsis

Renew the certificate embedded in the kubeconfig file for the scheduler manager to use.

Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

  1. kubeadm certs renew scheduler.conf [flags]

Options

—cert-dir string     Default: “/etc/kubernetes/pki”

The path where to save the certificates

—config string

Path to a kubeadm configuration file.

-h, —help

help for scheduler.conf

—kubeconfig string     Default: “/etc/kubernetes/admin.conf”

The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.

Options inherited from parent commands

—rootfs string

[EXPERIMENTAL] The path to the ‘real’ host root filesystem.

Renew the certificate embedded in the kubeconfig file for the super-admin

Synopsis

Renew the certificate embedded in the kubeconfig file for the super-admin.

Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.

Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.

After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.

  1. kubeadm certs renew super-admin.conf [flags]

Options

—cert-dir string     Default: “/etc/kubernetes/pki”

The path where to save the certificates

—config string

Path to a kubeadm configuration file.

-h, —help

help for super-admin.conf

—kubeconfig string     Default: “/etc/kubernetes/admin.conf”

The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.

Options inherited from parent commands

—rootfs string

[EXPERIMENTAL] The path to the ‘real’ host root filesystem.

kubeadm certs certificate-key

This command can be used to generate a new control-plane certificate key. The key can be passed as --certificate-key to kubeadm init and kubeadm join to enable the automatic copy of certificates when joining additional control-plane nodes.

Generate certificate keys

Synopsis

This command will print out a secure randomly-generated certificate key that can be used with the “init” command.

You can also use “kubeadm init —upload-certs” without specifying a certificate key and it will generate and print one for you.

  1. kubeadm certs certificate-key [flags]

Options

-h, —help

help for certificate-key

Options inherited from parent commands

—rootfs string

[EXPERIMENTAL] The path to the ‘real’ host root filesystem.

kubeadm certs check-expiration

This command checks expiration for the certificates in the local PKI managed by kubeadm. For more details see Check certificate expiration.

Check certificates expiration for a Kubernetes cluster

Synopsis

Checks expiration for the certificates in the local PKI managed by kubeadm.

  1. kubeadm certs check-expiration [flags]

Options

—cert-dir string     Default: “/etc/kubernetes/pki”

The path where to save the certificates

—config string

Path to a kubeadm configuration file.

-h, —help

help for check-expiration

—kubeconfig string     Default: “/etc/kubernetes/admin.conf”

The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.

Options inherited from parent commands

—rootfs string

[EXPERIMENTAL] The path to the ‘real’ host root filesystem.

kubeadm certs generate-csr

This command can be used to generate keys and CSRs for all control-plane certificates and kubeconfig files. The user can then sign the CSRs with a CA of their choice. To read more information on how to use the command see Signing certificate signing requests (CSR) generated by kubeadm.

Generate keys and certificate signing requests

Synopsis

Generates keys and certificate signing requests (CSRs) for all the certificates required to run the control plane. This command also generates partial kubeconfig files with private key data in the “users > user > client-key-data” field, and for each kubeconfig file an accompanying “.csr” file is created.

This command is designed for use in Kubeadm External CA Mode. It generates CSRs which you can then submit to your external certificate authority for signing.

The PEM encoded signed certificates should then be saved alongside the key files, using “.crt” as the file extension, or in the case of kubeconfig files, the PEM encoded signed certificate should be base64 encoded and added to the kubeconfig file in the “users > user > client-certificate-data” field.

  1. kubeadm certs generate-csr [flags]

Examples

  1. # The following command will generate keys and CSRs for all control-plane certificates and kubeconfig files:
  2. kubeadm certs generate-csr --kubeconfig-dir /tmp/etc-k8s --cert-dir /tmp/etc-k8s/pki

Options

—cert-dir string

The path where to save the certificates

—config string

Path to a kubeadm configuration file.

-h, —help

help for generate-csr

—kubeconfig-dir string     Default: “/etc/kubernetes”

The path where to save the kubeconfig file.

Options inherited from parent commands

—rootfs string

[EXPERIMENTAL] The path to the ‘real’ host root filesystem.

What’s next

  • kubeadm init to bootstrap a Kubernetes control-plane node
  • kubeadm join to connect a node to the cluster
  • kubeadm reset to revert any changes made to this host by kubeadm init or kubeadm join