How it Works
This section describes the sequence of operation for the feature.
-
The certificates in CM managed K8s clusters, control planes, workers, and external ETCD nodes is checked every 12 hours.
-
If any certificate is expiring in 60 days on the nodes, then the auto-renew process is triggered.
-
If the renewal is successful, then the following checks shows all the certificates as valid.
-
If the renewal is unsuccessful, then the auto-renew process is re-initiated for the next cycle or iteration of validating the certificates.
-
-
If any certificate is expiring in 30 days on the nodes, then the auto-renew process is triggered along with sending an alert to the user.
In such cases, a manual intervention might be required to renew the certificates, which are nearing their expiry date.
The kubernetes certificate expiry alert is show below.
Rules:
-
Alert: kube_certificate_expiring
-
Annotations:
-
Type: Kubernetes Certificate Expiring Alarm
-
Summary: "Kubernetes certificate {{ $labels.cert_path }} on host: {{ $labels.node_name }} is expiring in {{ $labels.days_to_expiry }} days."
-
-
Expression:
|
kube_certificate_expiring != 0
-
Labels:
-
Severity: critical
-
-
-
Note | The certificate auto-renewal process must restart the api-server. You might experience a temporary k8s API downtime during the certificate auto-renewal process. |