Comments (5)
If you think this is risky, you should run it more often, not less, but on your schedule, so you find out what fails and fix it.
Given the lack of negative feedback over the years I personally think it's safe.
from kubespray.
You can adjust the frequency of certificate renewal using the auto_renew_certificates_systemd_calendar
parameter.
from kubespray.
Hi @cqmmm ,
I've already looked at this too. The problem is that kubeadm for the certs check-expirations command currently does not provide a good output to recognize the residual time of the certificates. You would have to parse a few values with awk, for example, and with the next output change you would have to check again and again whether the check is still valid.
I also checked and apparently kubeadm is already working on supporting other output-formats like yaml or json (this would make parsing the information easier), but as @ErikJiang already mentioned, your problem would probably be solved by configuring auto_renew_certificates_systemd_calendar
.
As an example you could use * *-01,07-01 00:00:00
, then the script would only run every 6 months. In my test case, the kubeadm certificates are valid for 364d. This means that it would be renewed twice as often as necessary and you are 100% sure that the certificates will not expire before the script renews them.
from kubespray.
Maybe a logic extension of the script makes sense if kubespray runs on kubeadm v1.30 (I think this also implies the Kubernetes version v1.30).
Since kubeadm apparently supports the structured outputs with v1.30 for kubeadm certs commands. kubernetes/kubernetes#123372
from kubespray.
Also note that before this option even existed, the Kubespray stance was that people should be upgrading at least once a year to stay on supported version so this was somewhat not needed. So if your use case fit that (i.e.: you didn't reduce the cert lifetime), you could still fallback to not using this option at all.
Although if you find a way to improve the existing logic feel free!
from kubespray.
Related Issues (20)
- Remove Weave from documents and repository HOT 2
- terraform jobs on elastx failing HOT 3
- Kubespray upgrade failed because etcd-event.service cannot start
- local_path_provisioner_enabled: true - error HOT 4
- boostrap-os: badly formed task file included HOT 14
- kubernetes/preinstall fails due to missing jsonschema package HOT 2
- Kubespray fails on Rocky Linux 9 when running on raspberry pi HOT 1
- Change a task name in preinstall tasks (in 0080-system-configurations.yml )
- do we have any plan for integrate antrea cni and support install none cni to Kubespray HOT 1
- CI fail by "An error occurred in pipeline execution. 401 Client Error" HOT 3
- kubelet-csr-approver not support offline installation
- Support interval backup etcd
- Kubespray release-2.24 (v2.24.1) issue with calico version v3.25.2 HOT 1
- It is recommended to install Calico using the primary installation method
- Can not make βallow-privileged=true for kubelet on worker nodes
- add monitoring: kubeprometheus-stack or thanos and security check apps: kube-bench into kubespray
- Use pre-commit in CI as well to reduce deduplication HOT 15
- boostrap-os: do not install pkgs requirements on flatcar
- Kube-Proxy is enabled when upgrading HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubespray.