Synopsis
This command is not meant to be run on its own. See list of available subcommands.
kubeadm alpha certs renew [flags]
Options
| -h, --help |
| help for renew |
Options inherited from parent commands
| --rootfs string |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. |
Synopsis
Renew all known certificates necessary to run the control plane. Renewals are run unconditionally, regardless of expiration date. Renewals can also be run individually for more control.
kubeadm alpha certs renew all [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" |
| The path where to save the certificates |
| --config string |
| Path to a kubeadm configuration file. |
| --csr-dir string |
| The path to output the CSRs and private keys to |
| --csr-only |
| Create CSRs instead of generating certificates |
| -h, --help |
| help for all |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
Options inherited from parent commands
| --rootfs string |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. |
Synopsis
Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm alpha certs renew admin.conf [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" |
| The path where to save the certificates |
| --config string |
| Path to a kubeadm configuration file. |
| --csr-dir string |
| The path to output the CSRs and private keys to |
| --csr-only |
| Create CSRs instead of generating certificates |
| -h, --help |
| help for admin.conf |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
Options inherited from parent commands
| --rootfs string |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. |
Synopsis
Renew the certificate the apiserver uses to access etcd.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm alpha certs renew apiserver-etcd-client [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" |
| The path where to save the certificates |
| --config string |
| Path to a kubeadm configuration file. |
| --csr-dir string |
| The path to output the CSRs and private keys to |
| --csr-only |
| Create CSRs instead of generating certificates |
| -h, --help |
| help for apiserver-etcd-client |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
Options inherited from parent commands
| --rootfs string |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. |
Synopsis
Renew the certificate for the API server to connect to kubelet.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm alpha certs renew apiserver-kubelet-client [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" |
| The path where to save the certificates |
| --config string |
| Path to a kubeadm configuration file. |
| --csr-dir string |
| The path to output the CSRs and private keys to |
| --csr-only |
| Create CSRs instead of generating certificates |
| -h, --help |
| help for apiserver-kubelet-client |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
Options inherited from parent commands
| --rootfs string |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. |
Synopsis
Renew the certificate for serving the Kubernetes API.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm alpha certs renew apiserver [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" |
| The path where to save the certificates |
| --config string |
| Path to a kubeadm configuration file. |
| --csr-dir string |
| The path to output the CSRs and private keys to |
| --csr-only |
| Create CSRs instead of generating certificates |
| -h, --help |
| help for apiserver |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
Options inherited from parent commands
| --rootfs string |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. |
Synopsis
Renew the certificate embedded in the kubeconfig file for the controller manager to use.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm alpha certs renew controller-manager.conf [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" |
| The path where to save the certificates |
| --config string |
| Path to a kubeadm configuration file. |
| --csr-dir string |
| The path to output the CSRs and private keys to |
| --csr-only |
| Create CSRs instead of generating certificates |
| -h, --help |
| help for controller-manager.conf |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
Options inherited from parent commands
| --rootfs string |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. |
Synopsis
Renew the certificate for liveness probes to healthcheck etcd.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm alpha certs renew etcd-healthcheck-client [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" |
| The path where to save the certificates |
| --config string |
| Path to a kubeadm configuration file. |
| --csr-dir string |
| The path to output the CSRs and private keys to |
| --csr-only |
| Create CSRs instead of generating certificates |
| -h, --help |
| help for etcd-healthcheck-client |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
Options inherited from parent commands
| --rootfs string |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. |
Synopsis
Renew the certificate for etcd nodes to communicate with each other.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm alpha certs renew etcd-peer [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" |
| The path where to save the certificates |
| --config string |
| Path to a kubeadm configuration file. |
| --csr-dir string |
| The path to output the CSRs and private keys to |
| --csr-only |
| Create CSRs instead of generating certificates |
| -h, --help |
| help for etcd-peer |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
Options inherited from parent commands
| --rootfs string |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. |
Synopsis
Renew the certificate for serving etcd.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm alpha certs renew etcd-server [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" |
| The path where to save the certificates |
| --config string |
| Path to a kubeadm configuration file. |
| --csr-dir string |
| The path to output the CSRs and private keys to |
| --csr-only |
| Create CSRs instead of generating certificates |
| -h, --help |
| help for etcd-server |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
Options inherited from parent commands
| --rootfs string |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. |
Synopsis
Renew the certificate for the front proxy client.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm alpha certs renew front-proxy-client [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" |
| The path where to save the certificates |
| --config string |
| Path to a kubeadm configuration file. |
| --csr-dir string |
| The path to output the CSRs and private keys to |
| --csr-only |
| Create CSRs instead of generating certificates |
| -h, --help |
| help for front-proxy-client |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
Options inherited from parent commands
| --rootfs string |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. |
Synopsis
Renew the certificate embedded in the kubeconfig file for the scheduler manager to use.
Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them.
Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative it is possible to use K8s certificate API for certificate renewal, or as a last option, to generate a CSR request.
After renewal, in order to make changes effective, is required to restart control-plane components and eventually re-distribute the renewed certificate in case the file is used elsewhere.
kubeadm alpha certs renew scheduler.conf [flags]
Options
| --cert-dir string Default: "/etc/kubernetes/pki" |
| The path where to save the certificates |
| --config string |
| Path to a kubeadm configuration file. |
| --csr-dir string |
| The path to output the CSRs and private keys to |
| --csr-only |
| Create CSRs instead of generating certificates |
| -h, --help |
| help for scheduler.conf |
| --kubeconfig string Default: "/etc/kubernetes/admin.conf" |
| The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. |
Options inherited from parent commands
| --rootfs string |
| [EXPERIMENTAL] The path to the 'real' host root filesystem. |
This command can be used to generate a new control-plane certificate key.
The key can be passed as --certificate-key to kubeadm init and kubeadm join
to enable the automatic copy of certificates when joining additional control-plane nodes.
This command checks expiration for the certificates in the local PKI managed by kubeadm.
For more details about certificate expiration and renewal see the certificate management documentation.
Use the following commands to either download the kubelet configuration from the cluster or
to enable the DynamicKubeletConfiguration feature.
Thanks for the feedback. If you have a specific, answerable question about how to use Kubernetes, ask it on
Stack Overflow.
Open an issue in the GitHub repo if you want to
report a problem
or
suggest an improvement.