Recovering from expired control plane certificates
- Recovering from expired control plane certificates

Recovering from expired control plane certificates

Recovering from expired control plane certificates

Recovering from expired control plane certificates

The cluster can automatically recover from expired control plane certificates.

However, you must manually approve the pending node-bootstrapper certificate signing requests (CSRs) to recover kubelet certificates. For user-provisioned installations, you might also need to approve pending kubelet serving CSRs.

Use the following steps to approve the pending CSRs:

Procedure

Get the list of current CSRs:

$ oc get csr

Example output

NAME        AGE    SIGNERNAME                                    REQUESTOR                                                                   CONDITION
csr-2s94x   8m3s   kubernetes.io/kubelet-serving                 system:node:<node_name>                                                     Pending (1)
csr-4bd6t   8m3s   kubernetes.io/kubelet-serving                 system:node:<node_name>                                                     Pending (1)
csr-4hl85   13m    kubernetes.io/kube-apiserver-client-kubelet   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending (2)
csr-zhhhp   3m8s   kubernetes.io/kube-apiserver-client-kubelet   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending (2)
...

1	A pending kubelet service CSR (for user-provisioned installations).
2	A pending `node-bootstrapper` CSR.

Review the details of a CSR to verify that it is valid:
```
$ oc describe csr <csr_name> (1)
```
1 <csr_name> is the name of a CSR from the list of current CSRs.
Approve each valid node-bootstrapper CSR:
```
$ oc adm certificate approve <csr_name>
```
For user-provisioned installations, approve each valid kubelet serving CSR:
```
$ oc adm certificate approve <csr_name>
```