Skip to content

Commit

Permalink
Merge pull request kubernetes#38353 from SergeyKanzhelev/RotateKubele…
Browse files Browse the repository at this point in the history 
…tClientCertificateIsGA

fix documentation for RotateKubeletClientCertificate
  • Loading branch information
@k8s-ci-robot
k8s-ci-robot authored Dec 16, 2022
2 parents 33248dd + ab48121 commit f9e113f
Showing 1 changed file with 12 additions and 10 deletions.
22 changes: 12 additions & 10 deletions content/en/docs/reference/access-authn-authz/kubelet-tls-bootstrapping.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -404,23 +404,25 @@ However, you _can_ enable its server certificate, at least partially, via certif

### Certificate Rotation

Kubernetes v1.8 and higher kubelet implements __beta__ features for enabling
rotation of its client and/or serving certificates. These can be enabled through
the respective `RotateKubeletClientCertificate` and
`RotateKubeletServerCertificate` feature flags on the kubelet and are enabled by
default.
Kubernetes v1.8 and higher kubelet implements features for enabling
rotation of its client and/or serving certificates. Note, rotation of serving
certificate is a __beta__ feature and requires the `RotateKubeletServerCertificate`
feature flag on the kubelet (enabled by default).

`RotateKubeletClientCertificate` causes the kubelet to rotate its client
certificates by creating new CSRs as its existing credentials expire. To enable
this feature pass the following flag to the kubelet:
You can configure the kubelet to rotate its client certificates by creating new CSRs
as its existing credentials expire. To enable this feature, use the `rotateCertificates`
field of [kubelet configuration file](/docs/tasks/administer-cluster/kubelet-config-file/)
or pass the following command line argument to the kubelet (deprecated):

```
--rotate-certificates
```

`RotateKubeletServerCertificate` causes the kubelet **both** to request a serving
Enabling `RotateKubeletServerCertificate` causes the kubelet **both** to request a serving
certificate after bootstrapping its client credentials **and** to rotate that
certificate. To enable this feature pass the following flag to the kubelet:
certificate. To enable this behavior, use the field `serverTLSBootstrap` of
the [kubelet configuration file](/docs/tasks/administer-cluster/kubelet-config-file/)
or pass the following command line argument to the kubelet (deprecated):

```
--rotate-server-certificates
Expand Down

0 comments on commit f9e113f

Please sign in to comment.