kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge a5c6b28397 into f99f724e19

This commit is contained in:
Jayesh Mahajan 2025-06-14 14:26:03 -07:00 committed by GitHub
parent f99f724e19 a5c6b28397
commit e01e12b7d7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
content/en/docs/setup/best-practices/certificates.md
View File

@ -77,6 +77,18 @@ for details on creating your own certificate authority. See
[Certificate Management with kubeadm](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/)
for more on managing certificates.
## Rotating Kubernetes control plane TLS certificates
When updating TLS certificates (e.g., expiration or key rotation), the Kubernetes control plane components do not automatically reload updated certs.
For clusters using static pods, follow these steps:
1. Replace the existing certificate files on disk (e.g., `/etc/kubernetes/pki/apiserver.crt`).
2. Temporarily move the manifest file for the component (e.g., `/etc/kubernetes/manifests/kube-apiserver.yaml`) to another directory.
3. Restart the kubelet service:
```bash
systemctl restart kubelet
### Single root CA
You can create a single root CA, controlled by an administrator. This root CA can then create