Monitoring internal Kubernetes certificates

kubernetes

Solution 1:

Based on the resources listed below, I'd say the best solution would be to update kops and its cluster to the recent version. It contains the new version of etcd-manager, and its version >= 3.0.20200428 manages certificate lifecycle and will automatically request new certificates before expiration.

  1. Upgrade to kOps 1.15.3, 1.16.2, 1.17.0-beta.2, or 1.18.0-alpha.3. This is the recommended approach. Follow the normal steps when upgrading kOps and confirm the etcd-manager image will be updated based on the output of kops update cluster.
kops rolling-update cluster --instance-group-roles=Master --cloudonly
  1. Another solution is to override the etcd-manager image in the ClusterSpec. The image will be set in two places, one for each etcdCluster (main and events).
# Set `spec.etcdClusters[*].manager.image` to `kopeio/etcd-manager:3.0.20200428`
kops update cluster # confirm the image is being updated
kops update cluster --yes
kops rolling-update cluster --instance-group-roles=Master --force --cloudonly

Resources:

  • kops Documentation: etcd-manager Certificate Expiration
  • kops Issue: etcd-manager certificate rotation #8959
  • kops Pull Request: Update to etcd-manager 3.0.20200429 #9016

Related

How can I see if a Perl hash already has a certain key?
Difference between block and &block in Ruby
Disable TLS cipher suites
Can we have multiple IP addresses with different Net IDs on an interface? [closed]
ZFS: Does anyone know how to roll a zvol back in time?
Opening an email client on clicking a button
Why doesn't nginx wait until my connection during graceful shutdown?
Date and Time incorrect on compute engine
Cloud definition met? [closed]
Debian server unable to run Certbot
What does `if __FILE__ == $0` mean in Ruby
How Can I Understand this Vendor-Specific SMART Attribute?