This is a cache of https://docs.okd.io/4.12/security/certificate_types_descriptions/node-certificates.html. It is a snapshot of the page at 2024-11-21T18:18:44.698+0000.
Node <strong>certificate</strong>s - <strong>certificate</strong> types and descriptions | Security and compliance | OKD 4.12
×

Purpose

Node certificates are signed by the cluster and allow the kubelet to communicate with the Kubernetes API server. They come from the kubelet CA certificate, which is generated by the bootstrap process.

Location

The kubelet CA certificate is located in the kube-apiserver-to-kubelet-signer secret in the openshift-kube-apiserver-operator namespace.

Management

These certificates are managed by the system and not the user.

Expiration

Node certificates are automatically rotated after 292 days and expire after 365 days.

Renewal

The Kubernetes API Server Operator automatically generates a new kube-apiserver-to-kubelet-signer CA certificate at 292 days. The old CA certificate is removed after 365 days. Nodes are not rebooted when a kubelet CA certificate is renewed or removed.

Cluster administrators can manually renew the kubelet CA certificate by running the following command:

$ oc annotate -n openshift-kube-apiserver-operator secret kube-apiserver-to-kubelet-signer auth.openshift.io/certificate-not-after-

Additional resources