Missing a Kubernetes certificate renewal is one of the most disruptive incidents you can face with a self-managed cluster. The API server stops accepting connections, kubectl returns TLS errors, and nothing can be deployed or scaled until the certs are renewed.
Use the Certificate Expiry Calculator to see how many days you have left.
What Expires After 1 Year
kubeadm issues all Kubernetes certificates with a 1-year validity by default. These include:
| Certificate | Path | Consequence if expired |
|---|---|---|
| API server TLS | /etc/kubernetes/pki/apiserver.crt | kubectl stops working |
| API server kubelet client | /etc/kubernetes/pki/apiserver-kubelet-client.crt | kubelet loses connection |
| API server etcd client | /etc/kubernetes/pki/apiserver-etcd-client.crt | etcd access fails |
| etcd server | /etc/kubernetes/pki/etcd/server.crt | etcd cluster down |
| etcd peer | /etc/kubernetes/pki/etcd/peer.crt | etcd peer communication fails |
| Front proxy | /etc/kubernetes/pki/front-proxy-client.crt | Aggregated API servers fail |
The CA certificate lasts 10 years — you don't need to renew it on the 1-year cycle.
Checking Expiry
# Check all certificate expiry dates
kubeadm certs check-expiration
# Example output:
# CERTIFICATE EXPIRES RESIDUAL TIME
# admin.conf May 28, 2027 14:30 UTC 364d
# apiserver May 28, 2027 14:30 UTC 364d
# apiserver-etcd-client May 28, 2027 14:30 UTC 364d
# ...
Run this on any control plane node. Check quarterly so you're never caught off guard.
The Easiest Renewal: Upgrade
kubeadm automatically renews certificates during a cluster upgrade when they expire within 6 months. This is why staying current with Kubernetes minor versions is important for cert hygiene — it's built-in renewal.
# This renews certs for you automatically
kubeadm upgrade apply v1.32.0
If you're already on the latest supported version and need to renew without upgrading, continue below.
Manual Renewal
# On each control plane node — renew all certificates at once
kubeadm certs renew all
# Output:
# certificate embedded in kubeconfig file for the admin to use and for kubeadm itself: renewed
# certificate for serving the Kubernetes API: renewed
# ...
After renewal, the control plane static pods need to be restarted to pick up the new certs:
# Restart control plane pods by moving their manifests temporarily
cd /etc/kubernetes/manifests
mkdir /tmp/k8s-backup
mv *.yaml /tmp/k8s-backup/
sleep 10
mv /tmp/k8s-backup/*.yaml .
Or use crictl to stop and restart individual pods:
crictl pods | grep -E 'kube-apiserver|kube-controller|kube-scheduler|etcd' | awk '{print $1}' | xargs crictl stopp
Renewal When Certificates Are Already Expired
If certs have already expired, kubectl returns errors. You need to:
- ›Copy a working kubeconfig — if you're on a control plane node, the admin.conf should still work:
cp /etc/kubernetes/admin.conf ~/.kube/config
- ›Renew certificates:
kubeadm certs renew all
- ›
Restart control plane components — as shown above
- ›
Verify:
kubectl get nodes
Setting Up Alerts
Don't rely on manual checking. Add a Prometheus alert:
# PrometheusRule for cert expiry
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: kubernetes-cert-expiry
namespace: monitoring
spec:
groups:
- name: certificates
rules:
- alert: KubernetesCertificateExpirySoon
expr: apiserver_client_certificate_expiration_seconds_count > 0 and histogram_quantile(0.01, sum by (job, le) (rate(apiserver_client_certificate_expiration_seconds_bucket[5m]))) < 7 * 24 * 3600
for: 0m
labels:
severity: warning
annotations:
summary: "Kubernetes client certificate expiring soon"
Alternatively, add a simple cron job that emails or Slack-alerts 30 days before expiry based on kubeadm certs check-expiration output.
Upgrade Path Planning
Use the Kubernetes Upgrade Path Planner to plan your upgrade timeline. Staying within 1-2 minor versions of the latest release ensures kubeadm handles cert renewal automatically and keeps you within the supported version skew.