-
How do i rotate the default kubeconfig found at /etc/rancher/k3s/k3s.yaml? |
Beta Was this translation helpful? Give feedback.
Answered by
brandond
Jan 17, 2024
Replies: 1 comment 8 replies
-
What specifically are you looking at to judge whether or not it's been regenerated? The file is rewritten every time k3s starts, and just contains an inlined version of the cert+key from |
Beta Was this translation helpful? Give feedback.
8 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
That is an incorrect assumption.
Rotating the certs does not invalidate old certificates, were you expecting it to do so? We do not make that claim anywhere.
Kubernetes does not actually support certificate revocation checks, so even if the old certs were revoked by the CA it would not make a difference as the CRL is not checked. The only way to completely revoke old certificates is to switch over to a new CA that does not have any common trust with the old CA - but this is a very disruptive operation, as you are rekeying the entire cluster.
Best practice is not to distribute the admin kubeconfig, and ins…