---
title: 使用 kubeadm 进行证书管理
content_type: task
weight: 10
---
<!--
reviewers:
- sig-cluster-lifecycle
title: Certificate Management with kubeadm
content_type: task
weight: 10
-->

<!-- overview -->

{{< feature-state for_k8s_version="v1.15" state="stable" >}}

<!-- 
Client certificates generated by [kubeadm](/docs/reference/setup-tools/kubeadm/) expire after 1 year. This page explains how to manage certificate renewals with kubeadm. 
-->
由 [kubeadm](/zh/docs/reference/setup-tools/kubeadm/) 生成的客户端证书在 1 年后到期。
本页说明如何使用 kubeadm 管理证书续订。

## {{% heading "prerequisites" %}}

<!--
You should be familiar with [PKI certificates and requirements in Kubernetes](/docs/setup/best-practices/certificates/).
-->
你应该熟悉 [Kubernetes 中的 PKI 证书和要求](/zh/docs/setup/best-practices/certificates/)。

<!-- steps -->

<!--
## Using custom certificates {#custom-certificates}

By default, kubeadm generates all the certificates needed for a cluster to run.
You can override this behavior by providing your own certificates.
-->

## 使用自定义的证书 {#custom-certificates}

默认情况下, kubeadm 会生成运行一个集群所需的全部证书。
你可以通过提供你自己的证书来改变这个行为策略。

<!--
To do so, you must place them in whatever directory is specified by the
`--cert-dir` flag or the `CertificatesDir`field of kubeadm's `ClusterConfiguration` . By default this
is `/etc/kubernetes/pki`.
-->
如果要这样做, 你必须将证书文件放置在通过 `--cert-dir` 命令行参数或者 kubeadm 配置中的
`CertificatesDir` 配置项指明的目录中。默认的值是 `/etc/kubernetes/pki`。

<!--
If a given certificate and private key pair exists before running `kubeadm init`,
kubeadm does not overwrite them. This means you can, for example, copy an existing
CA into `/etc/kubernetes/pki/ca.crt` and `/etc/kubernetes/pki/ca.key`,
and kubeadm will use this CA for signing the rest of the certificates.
-->
如果在运行 `kubeadm init` 之前存在给定的证书和私钥对，kubeadm 将不会重写它们。
例如，这意味着您可以将现有的 CA 复制到 `/etc/kubernetes/pki/ca.crt` 和
`/etc/kubernetes/pki/ca.key` 中，而 kubeadm 将使用此 CA 对其余证书进行签名。

<!--
## External CA mode {#external-ca-mode}

It is also possible to provide only the `ca.crt` file and not the
`ca.key` file (this is only available for the root CA file, not other cert pairs).
If all other certificates and kubeconfig files are in place, kubeadm recognizes
this condition and activates the "External CA" mode. kubeadm will proceed without the CA key on disk.
-->

## 外部 CA 模式 {#external-ca-mode}

只提供了 `ca.crt` 文件但是不提供 `ca.key` 文件也是可以的
（这只对 CA 根证书可用，其它证书不可用）。
如果所有的其它证书和 kubeconfig 文件已就绪，kubeadm 检测到满足以上条件就会激活
"外部 CA" 模式。kubeadm 将会在没有 CA 密钥文件的情况下继续执行。

<!--
Instead, run the controller-manager standalone with `--controllers=csrsigner` and
point to the CA certificate and key.
-->
否则, kubeadm 将独立运行 controller-manager，附加一个
`--controllers=csrsigner` 的参数，并且指明 CA 证书和密钥。

<!--
[PKI certificates and requirements](/docs/setup/best-practices/certificates/) includes guidance on
setting up a cluster to use an external CA.
-->
[PKI 证书和要求](/zh/docs/setup/best-practices/certificates/)包括集群使用外部 CA 的设置指南。

<!-- 
## Check certificate expiration 

You can use the `check-expiration` subcommand to check when certificates expire:
-->
## 检查证书是否过期

你可以使用 `check-expiration` 子命令来检查证书何时过期

```shell
kubeadm certs check-expiration
```

<!-- 
The output is similar to this: 
-->
输出类似于以下内容：

```
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 30, 2020 23:36 UTC   364d                                    no
apiserver                  Dec 30, 2020 23:36 UTC   364d            ca                      no
apiserver-etcd-client      Dec 30, 2020 23:36 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Dec 30, 2020 23:36 UTC   364d            ca                      no
controller-manager.conf    Dec 30, 2020 23:36 UTC   364d                                    no
etcd-healthcheck-client    Dec 30, 2020 23:36 UTC   364d            etcd-ca                 no
etcd-peer                  Dec 30, 2020 23:36 UTC   364d            etcd-ca                 no
etcd-server                Dec 30, 2020 23:36 UTC   364d            etcd-ca                 no
front-proxy-client         Dec 30, 2020 23:36 UTC   364d            front-proxy-ca          no
scheduler.conf             Dec 30, 2020 23:36 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 28, 2029 23:36 UTC   9y              no
etcd-ca                 Dec 28, 2029 23:36 UTC   9y              no
front-proxy-ca          Dec 28, 2029 23:36 UTC   9y              no
```

<!-- 
The command shows expiration/residual time for the client certificates in the `/etc/kubernetes/pki` folder and for the client certificate embedded in the KUBECONFIG files used by kubeadm (`admin.conf`, `controller-manager.conf` and `scheduler.conf`). 
-->
该命令显示 `/etc/kubernetes/pki` 文件夹中的客户端证书以及 
kubeadm（`admin.conf`, `controller-manager.conf` 和 `scheduler.conf`）
使用的 KUBECONFIG 文件中嵌入的客户端证书的到期时间/剩余时间。

<!-- 
Additionally, kubeadm informs the user if the certificate is externally managed; in this case, the user should take care of managing certificate renewal manually/using other tools. 
-->
另外， kubeadm 会通知用户证书是否由外部管理； 
在这种情况下，用户应该小心的手动/使用其他工具来管理证书更新。

<!--
`kubeadm` cannot manage certificates signed by an external CA.
 -->
{{< warning >}}
`kubeadm` 不能管理由外部 CA 签名的证书
{{< /warning >}}

<!-- 
`kubelet.conf` is not included in the list above because kubeadm configures kubelet
for [automatic certificate renewal](/docs/tasks/tls/certificate-rotation/)
with rotatable certificates under `/var/lib/kubelet/pki`.
To repair an expired kubelet client certificate see
[Kubelet client certificate rotation fails](/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/#kubelet-client-cert).
-->
{{< note >}}
上面的列表中没有包含 `kubelet.conf`，因为 kubeadm 将 kubelet 配置为
[自动更新证书](/docs/tasks/tls/certificate-rotation/)。
轮换的证书位于目录 `/var/lib/kubelet/pki`。
要修复过期的 kubelet 客户端证书，请参阅
[kubelet 客户端证书轮换失败](/zh/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/#kubelet-client-cert)。
{{< /note >}}

<!--
On nodes created with `kubeadm init`, prior to kubeadm version 1.17, there is a
[bug](https://github.com/kubernetes/kubeadm/issues/1753) where you manually have to modify the contents of `kubelet.conf`. After `kubeadm init` finishes, you should update `kubelet.conf` to point to the
rotated kubelet client certificates, by replacing `client-certificate-data` and `client-key-data` with:
-->
{{< warning >}}
在通过 `kubeadm init` 创建的节点上，在 kubeadm 1.17 版本之前有一个
[缺陷](https://github.com/kubernetes/kubeadm/issues/1753)，该缺陷
使得你必须手动修改 `kubelet.conf` 文件的内容。
`kubeadm init` 操作结束之后，你必须更新 `kubelet.conf` 文件
将 `client-certificate-data` 和 `client-key-data` 改为如下所示的内容
以便使用轮换后的 kubelet 客户端证书：

```yaml
client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem
client-key: /var/lib/kubelet/pki/kubelet-client-current.pem
```
{{< /warning >}}

<!-- 
## Automatic certificate renewal

`kubeadm` renews all the certificates during control plane [upgrade](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-15/). 
-->

## 自动更新证书

`kubeadm` 会在控制面
[升级](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)
的时候更新所有证书。

<!-- 
This feature is designed for addressing the simplest use cases; 
if you don't have specific requirements on certificate renewal and perform Kubernetes version upgrades regularly (less than 1 year in between each upgrade), kubeadm will take care of keeping your cluster up to date and reasonably secure. 
-->
这个功能旨在解决最简单的用例；如果你对此类证书的更新没有特殊要求，
并且定期执行 Kubernetes 版本升级（每次升级之间的间隔时间少于 1 年），
则 kubeadm 将确保你的集群保持最新状态并保持合理的安全性。

<!-- 
It is a best practice to upgrade your cluster frequently in order to stay secure.
-->
{{< note >}}
最佳的做法是经常升级集群以确保安全。
{{< /note >}}

<!-- 
If you have more complex requirements for certificate renewal, you can opt out from the default behavior by passing `--certificate-renewal=false` to `kubeadm upgrade apply` or to `kubeadm upgrade node`. 
-->
如果你对证书更新有更复杂的需求，则可通过将 `--certificate-renewal=false` 传递给
`kubeadm upgrade apply` 或者 `kubeadm upgrade node`，从而选择不采用默认行为。

<!--
Prior to kubeadm version 1.17 there is a [bug](https://github.com/kubernetes/kubeadm/issues/1818)
where the default value for `--certificate-renewal` is `false` for the `kubeadm upgrade node`
command. In that case, you should explicitly set `--certificate-renewal=true`.
-->
{{< warning >}}
kubeadm 在 1.17 版本之前有一个[缺陷](https://github.com/kubernetes/kubeadm/issues/1818)，
该缺陷导致 `kubeadm update node` 执行时 `--certificate-renewal` 的默认值被设置为 `false`。
在这种情况下，你需要显式地设置 `--certificate-renewal=true`。
{{< /warning >}}

<!-- 
## Manual certificate renewal 

You can renew your certificates manually at any time with the `kubeadm certs renew` command. 
-->
## 手动更新证书

你能随时通过 `kubeadm certs renew` 命令手动更新你的证书。

<!-- 
This command performs the renewal using CA (or front-proxy-CA) certificate and key stored in `/etc/kubernetes/pki`.

After running the command you should restart the control plane Pods. This is required since
dynamic certificate reload is currently not supported for all components and certificates.
[Static Pods](/docs/tasks/configure-pod-container/static-pod/) are managed by the local kubelet
and not by the API Server, thus kubectl cannot be used to delete and restart them.
To restart a static Pod you can temporarily remove its manifest file from `/etc/kubernetes/manifests/`
and wait for 20 seconds (see the `fileCheckFrequency` value in [KubeletConfiguration struct](/docs/reference/config-api/kubelet-config.v1beta1/).
The kubelet will terminate the Pod if it's no longer in the manifest directory.
You can then move the file back and after another `fileCheckFrequency` period, the kubelet will recreate
the Pod and the certificate renewal for the component can complete.
-->
此命令用 CA （或者 front-proxy-CA ）证书和存储在 `/etc/kubernetes/pki` 中的密钥执行更新。

执行完此命令之后你需要重启控制面 Pods。因为动态证书重载目前还不被所有组件和证书支持，所有这项操作是必须的。
[静态 Pods](/zh/docs/tasks/configure-pod-container/static-pod/) 是被本地 kubelet 而不是 API Server 管理，
所以 kubectl 不能用来删除或重启他们。
要重启静态 Pod 你可以临时将清单文件从 `/etc/kubernetes/manifests/` 移除并等待 20 秒
（参考 [KubeletConfiguration 结构](/docs/reference/config-api/kubelet-config.v1beta1/) 中的`fileCheckFrequency` 值）。
如果 Pod 不在清单目录里，kubelet将会终止它。
在另一个 `fileCheckFrequency` 周期之后你可以将文件移回去，为了组件可以完成 kubelet 将重新创建 Pod 和证书更新。

<!-- 
If you are running an HA cluster, this command needs to be executed on all the control-plane nodes. 
-->
{{< warning >}}
如果你运行了一个 HA 集群，这个命令需要在所有控制面板节点上执行。
{{< /warning >}}

<!-- 
` certs renew` uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) instead of the kubeadm-config ConfigMap. It is strongly recommended to keep them both in sync.
-->
{{< note >}}
`certs renew` 使用现有的证书作为属性 (Common Name、Organization、SAN 等) 的权威来源，
而不是 kubeadm-config ConfigMap 。强烈建议使它们保持同步。
{{< /note >}}

<!--
`kubeadm certs renew` provides the following options:
-->
`kubeadm certs renew`提供以下选项：

<!--
The Kubernetes certificates normally reach their expiration date after one year.
-->
Kubernetes 证书通常在一年后到期。

<!-- 

- `--csr-only` can be used to renew certificats with an external CA by generating certificate signing requests (without actually renewing certificates in place); see next paragraph for more information. 
- It's also possible to renew a single certificate instead of all.
 -->

- `--csr-only` 可用于经过一个外部 CA 生成的证书签名请求来更新证书（无需实际替换更新证书）；
  更多信息请参见下节。
- 可以更新单个证书而不是全部证书。

<!--
## Renew certificates with the Kubernetes certificates API

This section provide more details about how to execute manual certificate renewal using the Kubernetes certificates API.
-->
## 用 Kubernetes 证书 API 更新证书

本节提供有关如何使用 Kubernetes 证书 API 执行手动证书更新的更多详细信息。

<!-- 
These are advanced topics for users who need to integrate their organization's certificate infrastructure into a kubeadm-built cluster. If the default kubeadm configuration satisfies your needs, you should let kubeadm manage certificates instead. 
-->
{{< caution >}}
这些是针对需要将其组织的证书基础结构集成到 kubeadm 构建的集群中的用户的高级主题。
如果默认的 kubeadm 配置满足了你的需求，则应让 kubeadm 管理证书。
{{< /caution >}}

<!--
### Set up a signer

The Kubernetes Certificate Authority does not work out of the box.
You can configure an external signer such as [cert-manager](https://cert-manager.io/docs/configuration/ca/), or you can use the build-in signer.
The built-in signer is part of [`kube-controller-manager`](/docs/reference/command-line-tools-reference/kube-controller-manager/).
To activate the build-in signer, you must pass the `--cluster-signing-cert-file` and `--cluster-signing-key-file` flags.
-->

### 设置一个签名者（Signer）

Kubernetes 证书颁发机构不是开箱即用。
你可以配置外部签名者，例如
[cert-manager](https://cert-manager.io/docs/configuration/ca/)，
也可以使用内置签名者。
内置签名者是
[`kube-controller-manager`](/zh/docs/reference/command-line-tools-reference/kube-controller-manager/)
的一部分。
要激活内置签名者，请传递 `--cluster-signing-cert-file` 和 `--cluster-signing-key-file` 参数。

<!--
If you're creating a new cluster, you can use a kubeadm [configuration file](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3): 
-->
如果你正在创建一个新的集群，你可以使用 kubeadm 的
[配置文件](/docs/reference/config-api/kubeadm-config.v1beta3/)。

```yaml
apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
controllerManager:
  extraArgs:
    cluster-signing-cert-file: /etc/kubernetes/pki/ca.crt
    cluster-signing-key-file: /etc/kubernetes/pki/ca.key
```

<!-- 
### Create certificate signing requests (CSR)
-->
### 创建证书签名请求 (CSR)

<!--
See [Create CertificateSigningRequest](/docs/reference/access-authn-authz/certificate-signing-requests/#create-certificatesigningrequest) for creating CSRs with the Kubernetes API.
-->
有关使用 Kubernetes API 创建 CSR 的信息，
请参见[创建 CertificateSigningRequest](/zh/docs/reference/access-authn-authz/certificate-signing-requests/#create-certificatesigningrequest)。

<!--
## Renew certificates with external CA

This section provides more details about how to execute manual certificate renewal using an external CA.
-->
## 通过外部 CA 更新证书

本节提供有关如何使用外部 CA 执行手动更新证书的更多详细信息。

<!--
To better integrate with external CAs, kubeadm can also produce certificate signing requests (CSRs).
A CSR represents a request to a CA for a signed certificate for a client.
In kubeadm terms, any certificate that would normally be signed by an on-disk CA can be produced as a CSR instead. A CA, however, cannot be produced as a CSR.
-->
为了更好的与外部 CA 集成，kubeadm 还可以生成证书签名请求（CSR）。
CSR 表示向 CA 请求客户的签名证书。
在 kubeadm 术语中，通常由磁盘 CA 签名的任何证书都可以作为 CSR 生成。但是，CA 不能作为 CSR 生成。

<!-- 
### Create certificate signing requests (CSR) 

You can create certificate signing requests with `kubeadm certs renew --csr-only`.

Both the CSR and the accompanying private key are given in the output.
You can pass in a directory with `--csr-dir` to output the CSRs to the specified location.
If `--csr-dir` is not specified, the default certificate directory (`/etc/kubernetes/pki`) is used.
-->
### 创建证书签名请求 (CSR)

你可以通过 `kubeadm certs renew --csr-only` 命令创建证书签名请求。

CSR 和随附的私钥都在输出中给出。
你可以传入一个带有 `--csr-dir` 的目录，将 CRS 输出到指定位置。
如果未指定 `--csr-dir` ，则使用默认证书目录（`/etc/kubernetes/pki`）。

<!--
Certificates can be renewed with `kubeadm certs renew --csr-only`.
As with `kubeadm init`, an output directory can be specified with the `--csr-dir` flag.
-->
证书可以通过 `kubeadm certs renew --csr-only` 来续订。
和 `kubeadm init` 一样，可以使用 `--csr-dir` 标志指定一个输出目录。

CSR 签署证书后，必须将证书和私钥复制到 PKI 目录（默认情况下为 `/etc/kubernetes/pki`）。

<!--
A CSR contains a certificate's name, domains, and IPs, but it does not specify usages.
It is the responsibility of the CA to specify [the correct cert usages](/docs/setup/best-practices/certificates/#all-certificates)
when issuing a certificate.
-->
CSR 中包含一个证书的名字，域和 IP，但是未指定用法。
颁发证书时，CA 有责任指定[正确的证书用法](/zh/docs/setup/best-practices/certificates/#all-certificates)

<!-- 
* In `openssl` this is done with the
  [`openssl ca` command](https://superuser.com/questions/738612/openssl-ca-keyusage-extension).
* In `cfssl` you specify
  [usages in the config file](https://github.com/cloudflare/cfssl/blob/master/doc/cmd/cfssl.txt#L170).
-->
* 在 `openssl` 中，这是通过
  [`openssl ca` 命令](https://superuser.com/questions/738612/openssl-ca-keyusage-extension)
  来完成的。
* 在 `cfssl` 中，这是通过
  [在配置文件中指定用法](https://github.com/cloudflare/cfssl/blob/master/doc/cmd/cfssl.txt#L170)
  来完成的。

<!-- 
After a certificate is signed using your preferred method, the certificate and the private key must be copied to the PKI directory (by default `/etc/kubernetes/pki`). 
-->
使用首选方法对证书签名后，必须将证书和私钥复制到 PKI 目录（默认为 `/etc/kubernetes/pki` ）。

<!--
## Certificate authority (CA) rotation {#certificate-authority-rotation}

Kubeadm does not support rotation or replacement of CA certificates out of the box.

For more information about manual rotation or replacement of CA, see [manual rotation of CA certificates](/docs/tasks/tls/manual-rotation-of-ca-certificates/).
-->
## 证书机构（CA）轮换     {#certificate-authority-rotation}

kubeadm 并不直接支持对 CA 证书的轮换或者替换。

关于手动轮换或者置换 CA 的更多信息，可参阅
[手动轮换 CA 证书](/zh/docs/tasks/tls/manual-rotation-of-ca-certificates/)。

<!--
## Enabling signed kubelet serving certificates {#kubelet-serving-certs}

By default the kubelet serving certificate deployed by kubeadm is self-signed.
This means a connection from external services like the
[metrics-server](https://github.com/kubernetes-sigs/metrics-server) to a
kubelet cannot be secured with TLS.

To configure the kubelets in a new kubeadm cluster to obtain properly signed serving
certificates you must pass the following minimal configuration to `kubeadm init`:
-->
## 启用已签名的 kubelet 服务证书   {#kubelet-serving-certs}

默认情况下，kubeadm 所部署的 kubelet 服务证书是自签名（Self-Signed））。
这意味着从 [metrics-server](https://github.com/kubernetes-sigs/metrics-server)
这类外部服务发起向 kubelet 的链接时无法使用 TLS 来完成保护。

要在新的 kubeadm 集群中配置 kubelet 以使用被正确签名的服务证书，
你必须向 `kubeadm init` 传递如下最小配置数据：

```yaml
apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
---
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
serverTLSBootstrap: true
```

<!--
If you have already created the cluster you must adapt it by doing the following:
 - Find and edit the `kubelet-config-{{< skew latestVersion >}}` ConfigMap in the `kube-system` namespace.
In that ConfigMap, the `kubelet` key has a
[KubeletConfiguration](/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)
document as its value. Edit the KubeletConfiguration document to set `serverTLSBootstrap: true`.
- On each node, add the `serverTLSBootstrap: true` field in `/var/lib/kubelet/config.yaml`
and restart the kubelet with `systemctl restart kubelet`
-->
如果你已经创建了集群，你必须通过执行下面的操作来完成适配：

- 找到 `kube-system` 名字空间中名为 `kubelet-config-{{< skew latestVersion >}}`
  的 ConfigMap 并编辑之。
  在该 ConfigMap 中，`kubelet` 键下面有一个
  [KubeletConfiguration](/zh/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)
  文档作为其取值。编辑该 KubeletConfiguration 文档以设置
  `serverTLSBootstrap: true`。
- 在每个节点上，在 `/var/lib/kubelet/config.yaml` 文件中添加
  `serverTLSBootstrap: true` 字段，并使用 `systemctl restart kubelet`
  来重启 kubelet。

<!--
The field `serverTLSBootstrap: true` will enable the bootstrap of kubelet serving
certificates by requesting them from the `certificates.k8s.io` API. One known limitation
is that the CSRs (Certificate Signing Requests) for these certificates cannot be automatically
approved by the default signer in the kube-controller-manager -
[`kubernetes.io/kubelet-serving`](/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers).
This will require action from the user or a third party controller.

These CSRs can be viewed using:
-->
字段 `serverTLSBootstrap` 将允许启动引导 kubelet 的服务证书，方式
是从 `certificates.k8s.io` API 处读取。这种方式的一种局限在于这些
证书的 CSR（证书签名请求）不能被 kube-controller-manager 中默认的
签名组件 
[`kubernetes.io/kubelet-serving`](/zh/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers)
批准。需要用户或者第三方控制器来执行此操作。

可以使用下面的命令来查看 CSR：

```shell
kubectl get csr
```

```none
NAME        AGE     SIGNERNAME                        REQUESTOR                      CONDITION
csr-9wvgt   112s    kubernetes.io/kubelet-serving     system:node:worker-1           Pending
csr-lz97v   1m58s   kubernetes.io/kubelet-serving     system:node:control-plane-1    Pending
```

<!--
To approve them you can do the following:
-->
你可以执行下面的操作来批准这些请求：

```shell
kubectl certificate approve <CSR-名称>
```

<!--
By default, these serving certificate will expire after one year. Kubeadm sets the
`KubeletConfiguration` field `rotateCertificates` to `true`, which means that close
to expiration a new set of CSRs for the serving certificates will be created and must
be approved to complete the rotation. To understand more see
[Certificate Rotation](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#certificate-rotation).
-->
默认情况下，这些服务证书上会在一年后过期。
kubeadm 将 `KubeletConfiguration` 的 `rotateCertificates` 字段设置为
`true`；这意味着证书快要过期时，会生成一组针对服务证书的新的 CSR，而
这些 CSR 也要被批准才能完成证书轮换。
要进一步了解这里的细节，可参阅
[证书轮换](/zh/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#certificate-rotation)
文档。

<!--
If you are looking for a solution for automatic approval of these CSRs it is recommended
that you contact your cloud provider and ask if they have a CSR signer that verifies
the node identity with an out of band mechanism.
-->
如果你在寻找一种能够自动批准这些 CSR 的解决方案，建议你与你的云提供商
联系，询问他们是否有 CSR 签名组件，用来以带外（out-of-band）的方式检查
节点的标识符。

{{% thirdparty-content %}}

<!--
Third party custom controllers can be used:
- [kubelet-rubber-stamp](https://github.com/kontena/kubelet-rubber-stamp)

Such a controller is not a secure mechanism unless it not only verifies the CommonName
in the CSR but also verifies the requested IPs and domain names. This would prevent
a malicious actor that has access to a kubelet client certificate to create
CSRs requesting serving certificates for any IP or domain name.
-->
也可以使用第三方定制的控制器：

- [kubelet-rubber-stamp](https://github.com/kontena/kubelet-rubber-stamp)

除非既能够验证 CSR 中的 CommonName，也能检查请求的 IP 和域名，
这类控制器还算不得安全的机制。
只有完成彻底的检查，才有可能避免有恶意的、能够访问 kubelet 客户端证书的第三方
为任何 IP 或域名请求服务证书。