kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #38353 from SergeyKanzhelev/RotateKubeletClientCertificateIsGA 

fix documentation for RotateKubeletClientCertificate
pull/38514/head
Kubernetes Prow Robot 2022-12-16 07:18:17 -08:00 committed by GitHub
parent 33248dd5d4 ab4812140f
commit f9e113fb86
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
content/en/docs/reference/access-authn-authz/kubelet-tls-bootstrapping.md
View File

@ -404,23 +404,25 @@ However, you _can_ enable its server certificate, at least partially, via certif
### Certificate Rotation
Kubernetes v1.8 and higher kubelet implements __beta__ features for enabling
rotation of its client and/or serving certificates. These can be enabled through
the respective `RotateKubeletClientCertificate` and
`RotateKubeletServerCertificate` feature flags on the kubelet and are enabled by
default.
Kubernetes v1.8 and higher kubelet implements features for enabling
rotation of its client and/or serving certificates. Note, rotation of serving
certificate is a __beta__ feature and requires the `RotateKubeletServerCertificate`
feature flag on the kubelet (enabled by default).
`RotateKubeletClientCertificate` causes the kubelet to rotate its client
certificates by creating new CSRs as its existing credentials expire. To enable
this feature pass the following flag to the kubelet:
You can configure the kubelet to rotate its client certificates by creating new CSRs
as its existing credentials expire. To enable this feature, use the `rotateCertificates`
field of [kubelet configuration file](/docs/tasks/administer-cluster/kubelet-config-file/)
or pass the following command line argument to the kubelet (deprecated):
```
--rotate-certificates
```
`RotateKubeletServerCertificate` causes the kubelet **both** to request a serving
Enabling `RotateKubeletServerCertificate` causes the kubelet **both** to request a serving
certificate after bootstrapping its client credentials **and** to rotate that
certificate. To enable this feature pass the following flag to the kubelet:
certificate. To enable this behavior, use the field `serverTLSBootstrap` of
the [kubelet configuration file](/docs/tasks/administer-cluster/kubelet-config-file/)
or pass the following command line argument to the kubelet (deprecated):
```
--rotate-server-certificates