Try Kubernetes

Get Started

Ready to get your hands dirty? Build a simple Kubernetes cluster that runs "Hello World" for Node.js.

Documentation

Learn how to use Kubernetes with the use of walkthroughs, samples, and reference documentation. You can even help contribute to the docs!

Community

If you need help, you can connect with other Kubernetes users and the Kubernetes authors, attend community events, and watch video presentations from around the web.

Blog

Read the latest news for Kubernetes and the containers space in general, and get technical how-tos hot off the presses.

Interested in hacking on the core Kubernetes code base?

View On Github

Explore the community

Tasks

Install Tools

Install and Set Up kubectl

Install Minikube

Administer a Cluster

Administration with kubeadm

Upgrading kubeadm HA clusters from 1.9.x to 1.9.y

Upgrading kubeadm clusters from 1.7 to 1.8

Upgrading kubeadm clusters from v1.10 to v1.11

Upgrading/downgrading kubeadm clusters between v1.8 to v1.9

Manage Memory, CPU, and API Resources

Configure Default Memory Requests and Limits for a Namespace

Configure Default CPU Requests and Limits for a Namespace

Configure Minimum and Maximum Memory Constraints for a Namespace

Configure Minimum and Maximum CPU Constraints for a Namespace

Configure Memory and CPU Quotas for a Namespace

Configure a Pod Quota for a Namespace

Install a Network Policy Provider

Use Calico for NetworkPolicy

Use Cilium for NetworkPolicy

Use Kube-router for NetworkPolicy

Romana for NetworkPolicy

Weave Net for NetworkPolicy

Access Clusters Using the Kubernetes API

Access Services Running on Clusters

Advertise Extended Resources for a Node

Autoscale the DNS Service in a Cluster

Change the Reclaim Policy of a PersistentVolume

Change the default StorageClass

Cluster Management

Configure Multiple Schedulers

Configure Out Of Resource Handling

Configure Quotas for API Objects

Control CPU Management Policies on the Node

Customizing DNS Service

Debugging DNS Resolution

Declare Network Policy

Developing Cloud Controller Manager

Encrypting Secret Data at Rest

Guaranteed Scheduling For Critical Add-On Pods

IP Masquerade Agent User Guide

Kubernetes Cloud Controller Manager

Limit Storage Consumption

Namespaces Walkthrough

Operating etcd clusters for Kubernetes

Reconfigure a Node's Kubelet in a Live Cluster

Reserve Compute Resources for System Daemons

Safely Drain a Node while Respecting Application SLOs

Securing a Cluster

Set Kubelet parameters via a config file

Set up High-Availability Kubernetes Masters

Share a Cluster with Namespaces

Static Pods

Storage Object in Use Protection

Using CoreDNS for Service Discovery

Using a KMS provider for data encryption

Using sysctls in a Kubernetes Cluster

Configure Pods and Containers

Assign Memory Resources to Containers and Pods

Assign CPU Resources to Containers and Pods

Configure Quality of Service for Pods

Assign Extended Resources to a Container

Configure a Pod to Use a Volume for Storage

Configure a Pod to Use a PersistentVolume for Storage

Configure a Pod to Use a Projected Volume for Storage

Configure a Security Context for a Pod or Container

Configure Service Accounts for Pods

Pull an Image from a Private Registry

Configure Liveness and Readiness Probes

Assign Pods to Nodes

Configure Pod Initialization

Attach Handlers to Container Lifecycle Events

Configure a Pod to Use a ConfigMap

Share Process Namespace between Containers in a Pod

Translate a Docker Compose File to Kubernetes Resources

Inject Data Into Applications

Define a Command and Arguments for a Container

Define Environment Variables for a Container

Expose Pod Information to Containers Through Environment Variables

Expose Pod Information to Containers Through Files

Distribute Credentials Securely Using Secrets

Inject Information into Pods Using a PodPreset

Run Applications

Run a Stateless Application Using a Deployment

Run a Single-Instance Stateful Application

Run a Replicated Stateful Application

Update API Objects in Place Using kubectl patch

Scale a StatefulSet

Delete a StatefulSet

Force Delete StatefulSet Pods

Perform Rolling Update Using a Replication Controller

Horizontal Pod Autoscaler

Horizontal Pod Autoscaler Walkthrough

Specifying a Disruption Budget for your Application

Run Jobs

Running Automated Tasks with a CronJob

Parallel Processing using Expansions

Coarse Parallel Processing Using a Work Queue

Fine Parallel Processing Using a Work Queue

Access Applications in a Cluster

Web UI (Dashboard)

Accessing Clusters

Configure Access to Multiple Clusters

Use Port Forwarding to Access Applications in a Cluster

Provide Load-Balanced Access to an Application in a Cluster

Use a Service to Access an Application in a Cluster

Connect a Front End to a Back End Using a Service

Create an External Load Balancer

Configure Your Cloud Provider's Firewalls

List All Container Images Running in a Cluster

Communicate Between Containers in the Same Pod Using a Shared Volume

Configure DNS for a Cluster

Monitor, Log, and Debug

Application Introspection and Debugging

Auditing

Core metrics pipeline

Debug Init Containers

Debug Pods and ReplicationControllers

Debug Services

Debug a StatefulSet

Debugging Kubernetes nodes with crictl

Determine the Reason for Pod Failure

Developing and debugging services locally

Events in Stackdriver

Get a Shell to a Running Container

Logging Using Elasticsearch and Kibana

Logging Using Stackdriver

Monitor Node Health

Tools for Monitoring Resources

Troubleshoot Applications

Troubleshoot Clusters

Troubleshooting

Extend Kubernetes

Use Custom Resources

Extend the Kubernetes API with CustomResourceDefinitions

Versions of CustomResourceDefinitions

Migrate a ThirdPartyResource to CustomResourceDefinition

Configure the Aggregation Layer

Setup an Extension API Server

Use an HTTP Proxy to Access the Kubernetes API

TLS

Certificate Rotation

Manage TLS Certificates in a Cluster

Federation - Run an App on Multiple Clusters

Cross-cluster Service Discovery using Federated Services

Set up Cluster Federation with Kubefed

Set up CoreDNS as DNS provider for Cluster Federation

Set up placement policies in Federation

Manage Cluster Daemons

Perform a Rollback on a DaemonSet

Perform a Rolling Update on a DaemonSet

Install Service Catalog

Install Service Catalog using Helm

Install Service Catalog using SC

Federation - Run an App on Multiple Clusters

Federated Horizontal Pod Autoscalers (HPA)

Federated Ingress

Federated Jobs

Federated Namespaces

Federated ReplicaSets

Federated Secrets

Extend kubectl with plugins

Manage HugePages

Schedule GPUs

Edit This Page

Certificate Rotation

This page shows how to enable and configure certificate rotation for the kubelet.

Before you begin
Overview
Enabling client certificate rotation
Understanding the certificate rotation configuration

Before you begin

Kubernetes version 1.8.0 or later is required
Kubelet certificate rotation is beta in 1.8.0 which means it may change without notice.

Overview

The kubelet uses certificates for authenticating to the Kubernetes API. By default, these certificates are issued with one year expiration so that they do not need to be renewed too frequently.

Kubernetes 1.8 contains kubelet certificate rotation, a beta feature that will automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration. Once the new certificate is available, it will be used for authenticating connections to the Kubernetes API.

Enabling client certificate rotation

The kubelet process accepts an argument --rotate-certificates that controls if the kubelet will automatically request a new certificate as the expiration of the certificate currently in use approaches. Since certificate rotation is a beta feature, the feature flag must also be enabled with --feature-gates=RotateKubeletClientCertificate=true.

The kube-controller-manager process accepts an argument --experimental-cluster-signing-duration that controls how long certificates will be issued for.

Understanding the certificate rotation configuration

When a kubelet starts up, if it is configured to bootstrap (using the --bootstrap-kubeconfig flag), it will use its initial certificate to connect to the Kubernetes API and issue a certificate signing request. You can view the status of certificate signing requests using:

kubectl get csr

Initially a certificate signing request from the kubelet on a node will have a status of Pending. If the certificate signing requests meets specific criteria, it will be auto approved by the controller manager, then it will have a status of Approved. Next, the controller manager will sign a certificate, issued for the duration specified by the --experimental-cluster-signing-duration parameter, and the signed certificate will be attached to the certificate signing requests.

The kubelet will retrieve the signed certificate from the Kubernetes API and write that to disk, in the location specified by --cert-dir. Then the kubelet will use the new certificate to connect to the Kubernetes API.

As the expiration of the signed certificate approaches, the kubelet will automatically issue a new certificate signing request, using the Kubernetes API. Again, the controller manager will automatically approve the certificate request and attach a signed certificate to the certificate signing request. The kubelet will retrieve the new signed certificate from the Kubernetes API and write that to disk. Then it will update the connections it has to the Kubernetes API to reconnect using the new certificate.