This is the multi-page printable view of this section. Click here to print.
Commands related to handling Kubernetes certificates
Commands related to handling Kubernetes certificates
kubeadm certs [flags]
| -h, --help | |
help for certs | |
| --rootfs string | |
The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. | |
Generate certificate keys
This command will print out a secure randomly-generated certificate key that can be used with the "init" command.
You can also use "kubeadm init --upload-certs" without specifying a certificate key and it will generate and print one for you.
kubeadm certs certificate-key [flags]
| -h, --help | |
help for certificate-key | |
| --rootfs string | |
The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. | |
Check certificates expiration for a Kubernetes cluster
Checks expiration for the certificates in the local PKI managed by kubeadm.
kubeadm certs check-expiration [flags]
| --allow-missing-template-keys Default: true | |
If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
| --cert-dir string Default: "/etc/kubernetes/pki" | |
The path where to save the certificates | |
| --config string | |
Path to a kubeadm configuration file. | |
| -h, --help | |
help for check-expiration | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. | |
| -o, --output string Default: "text" | |
Output format. One of: text|json|yaml|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
| --show-managed-fields | |
If true, keep the managedFields when printing objects in JSON or YAML format. | |
| --rootfs string | |
The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. | |
Generate keys and certificate signing requests
Generates keys and certificate signing requests (CSRs) for all the certificates required to run the control plane. This command also generates partial kubeconfig files with private key data in the "users > user > client-key-data" field, and for each kubeconfig file an accompanying ".csr" file is created.
This command is designed for use in Kubeadm External CA Mode. It generates CSRs which you can then submit to your external certificate authority for signing.
The PEM encoded signed certificates should then be saved alongside the key files, using ".crt" as the file extension, or in the case of kubeconfig files, the PEM encoded signed certificate should be base64 encoded and added to the kubeconfig file in the "users > user > client-certificate-data" field.
kubeadm certs generate-csr [flags]
# The following command will generate keys and CSRs for all control-plane certificates and kubeconfig files:
kubeadm certs generate-csr --kubeconfig-dir /tmp/etc-k8s --cert-dir /tmp/etc-k8s/pki
| --cert-dir string | |
The path where to save the certificates | |
| --config string | |
Path to a kubeadm configuration file. | |
| -h, --help | |
help for generate-csr | |
| --kubeconfig-dir string Default: "/etc/kubernetes" | |
The path where to save the kubeconfig file. | |
| --rootfs string | |
The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. | |
Renew certificates for a Kubernetes cluster
Renew certificates for a Kubernetes cluster
kubeadm certs renew [flags]
| -h, --help | |
help for renew | |
| --rootfs string | |
The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. | |
Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm certs renew admin.conf [flags]
| --cert-dir string Default: "/etc/kubernetes/pki" | |
The path where to save the certificates | |
| --config string | |
Path to a kubeadm configuration file. | |
| -h, --help | |
help for admin.conf | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. | |
| --rootfs string | |
The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. | |
Renew all available certificates
Renew all known certificates necessary to run the control plane. Renewals are run unconditionally, regardless of expiration date. Renewals can also be run individually for more control.
kubeadm certs renew all [flags]
| --cert-dir string Default: "/etc/kubernetes/pki" | |
The path where to save the certificates | |
| --config string | |
Path to a kubeadm configuration file. | |
| -h, --help | |
help for all | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. | |
| --rootfs string | |
The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. | |
Renew the certificate the apiserver uses to access etcd
Renew the certificate the apiserver uses to access etcd.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm certs renew apiserver-etcd-client [flags]
| --cert-dir string Default: "/etc/kubernetes/pki" | |
The path where to save the certificates | |
| --config string | |
Path to a kubeadm configuration file. | |
| -h, --help | |
help for apiserver-etcd-client | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. | |
| --rootfs string | |
The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. | |
Renew the certificate for the API server to connect to kubelet
Renew the certificate for the API server to connect to kubelet.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm certs renew apiserver-kubelet-client [flags]
| --cert-dir string Default: "/etc/kubernetes/pki" | |
The path where to save the certificates | |
| --config string | |
Path to a kubeadm configuration file. | |
| -h, --help | |
help for apiserver-kubelet-client | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. | |
| --rootfs string | |
The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. | |
Renew the certificate for serving the Kubernetes API
Renew the certificate for serving the Kubernetes API.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm certs renew apiserver [flags]
| --cert-dir string Default: "/etc/kubernetes/pki" | |
The path where to save the certificates | |
| --config string | |
Path to a kubeadm configuration file. | |
| -h, --help | |
help for apiserver | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. | |
| --rootfs string | |
The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. | |
Renew the certificate embedded in the kubeconfig file for the controller manager to use
Renew the certificate embedded in the kubeconfig file for the controller manager to use.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm certs renew controller-manager.conf [flags]
| --cert-dir string Default: "/etc/kubernetes/pki" | |
The path where to save the certificates | |
| --config string | |
Path to a kubeadm configuration file. | |
| -h, --help | |
help for controller-manager.conf | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. | |
| --rootfs string | |
The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. | |
Renew the certificate for liveness probes to healthcheck etcd
Renew the certificate for liveness probes to healthcheck etcd.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm certs renew etcd-healthcheck-client [flags]
| --cert-dir string Default: "/etc/kubernetes/pki" | |
The path where to save the certificates | |
| --config string | |
Path to a kubeadm configuration file. | |
| -h, --help | |
help for etcd-healthcheck-client | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. | |
| --rootfs string | |
The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. | |
Renew the certificate for etcd nodes to communicate with each other
Renew the certificate for etcd nodes to communicate with each other.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm certs renew etcd-peer [flags]
| --cert-dir string Default: "/etc/kubernetes/pki" | |
The path where to save the certificates | |
| --config string | |
Path to a kubeadm configuration file. | |
| -h, --help | |
help for etcd-peer | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. | |
| --rootfs string | |
The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. | |
Renew the certificate for serving etcd
Renew the certificate for serving etcd.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm certs renew etcd-server [flags]
| --cert-dir string Default: "/etc/kubernetes/pki" | |
The path where to save the certificates | |
| --config string | |
Path to a kubeadm configuration file. | |
| -h, --help | |
help for etcd-server | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. | |
| --rootfs string | |
The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. | |
Renew the certificate for the front proxy client
Renew the certificate for the front proxy client.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm certs renew front-proxy-client [flags]
| --cert-dir string Default: "/etc/kubernetes/pki" | |
The path where to save the certificates | |
| --config string | |
Path to a kubeadm configuration file. | |
| -h, --help | |
help for front-proxy-client | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. | |
| --rootfs string | |
The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. | |
Renew the certificate embedded in the kubeconfig file for the scheduler manager to use
Renew the certificate embedded in the kubeconfig file for the scheduler manager to use.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm certs renew scheduler.conf [flags]
| --cert-dir string Default: "/etc/kubernetes/pki" | |
The path where to save the certificates | |
| --config string | |
Path to a kubeadm configuration file. | |
| -h, --help | |
help for scheduler.conf | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. | |
| --rootfs string | |
The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. | |
Renew the certificate embedded in the kubeconfig file for the super-admin
Renew the certificate embedded in the kubeconfig file for the super-admin.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm certs renew super-admin.conf [flags]
| --cert-dir string Default: "/etc/kubernetes/pki" | |
The path where to save the certificates | |
| --config string | |
Path to a kubeadm configuration file. | |
| -h, --help | |
help for super-admin.conf | |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" | |
The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. | |
| --rootfs string | |
The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. | |