How to Safely Renew Kubernetes Certificates with kubeadm (Step‑by‑Step Guide)

Overview

kubeadm creates a PKI for the control‑plane components (API server, controller‑manager, scheduler, etcd) with a default validity of one year. Running the renewal operation regenerates these certificates, replaces the old files, and restarts the static Pods so the new certificates are loaded.

Impact

Control‑plane Pods restart briefly; the cluster may be unavailable for 30 seconds to a minute.

Schedule the operation during a low‑traffic window.

Version Compatibility

The commands described work with kubeadm v1.15 and newer. For older releases (e.g., v1.13) the deprecated kubeadm alpha certs renew can be used, but upgrading kubeadm is strongly recommended.

High‑Availability (HA) Clusters

When the cluster has multiple master nodes, perform the renewal on one master at a time. Complete the full sequence (renew, update kubeconfig, restart, verify) on the first master before moving to the next.

Clusters Managed by an External CA

If the cluster configuration contains externallyManaged: true, kubeadm certs renew cannot be used. Follow the external CA workflow to issue and replace the certificates.

1️⃣ Check Certificate Expiration

List the current certificates and their remaining validity: kubeadm certs check-expiration Typical output shows each certificate, its expiration date, remaining time, issuing CA, and whether it is externally managed. Schedule renewal when the remaining time is less than 90 days.

2️⃣ Renew Certificates – Recommended Method (kubeadm v1.15+)

Renew all certificates

sudo kubeadm certs renew all

Successful renewal is indicated by messages such as certificate for "X" renewed .

Regenerate kubeconfig files

sudo kubeadm init phase kubeconfig all

This recreates admin.conf , controller-manager.conf , scheduler.conf and other client configuration files.

Restart the control‑plane Pods You can trigger a restart in two ways:

Method A – Manipulate static manifests

sudo mv /etc/kubernetes/manifests /etc/kubernetes/manifests.bak
sudo sleep 10
sudo mv /etc/kubernetes/manifests.bak /etc/kubernetes/manifests

Moving the manifest directory forces the kubelet to delete and recreate the static Pods.

Method B – Restart the kubelet service

sudo systemctl restart kubelet

The kubelet automatically restarts the static Pods after the service restarts.

Verify the renewal

kubeadm certs check-expiration
kubectl get nodes
kubectl get pods --all-namespaces

Confirm that the certificates show a new expiration date, all nodes are in the Ready state, and system Pods are running without errors.

Method 2 – Legacy (kubeadm v1.13)

For very old clusters you can run:

sudo kubeadm alpha certs renew all

This command is deprecated; upgrade kubeadm and use the recommended method whenever possible.

3️⃣ Optional: Update kubelet.conf on Worker Nodes

On the master, view the newly generated kubelet.conf:

Copy the file to each worker and restart the kubelet:

4️⃣ Handling Expired Certificates

Back up /etc/kubernetes (including pki directory).

Restore the CA certificate and key files ( /etc/kubernetes/pki/ca.crt, ca.key, and the etcd CA) from the backup.

If the CA private key is missing, new certificates cannot be generated.

Force renewal when necessary: sudo kubeadm certs renew all --force After forcing, repeat steps 2‑4 (update kubeconfig, restart control‑plane, verify).

5️⃣ Summary of Operations

Check expiration : kubeadm certs check-expiration Renew certificates : sudo kubeadm certs renew all Update kubeconfig : sudo kubeadm init phase kubeconfig all Restart control‑plane : move/restore manifests or sudo systemctl restart kubelet Verify : re‑run kubeadm certs check-expiration and kubectl get nodes to ensure health.

6️⃣ Best Practices & Tips

Integrate kubeadm certs check-expiration into monitoring (e.g., Prometheus) to receive early alerts.

The kubeadm upgrade command can automatically rotate certificates during a version upgrade.

In multi‑master clusters, update masters sequentially to avoid simultaneous downtime.

For clusters using an external CA, follow the external CA issuance process; do not use kubeadm certs renew.

Illustration