Back to all scenarios
Scenario #28
Cluster Management
K8s v1.19, kubeadm cluster

kubelet Fails to Start Due to Expired TLS Certs

Several nodes went NotReady after reboot due to kubelet failing to start with expired client certs.

Find this helpful?
What Happened

Kubelet uses a client certificate for authentication with the API server. These are typically auto-rotated, but the nodes were offline when the rotation was due.

Diagnosis Steps
  • 1journalctl -u kubelet – cert expired error.
  • 2/var/lib/kubelet/pki/kubelet-client-current.pem – expired date.
Root Cause

Kubelet cert rotation missed due to node downtime.

Fix/Workaround
• Regenerated kubelet certs using kubeadm.
bash
CopyEdit
kubeadm certs renew all
Lessons Learned

Cert rotation has a dependency on uptime.

How to Avoid
  • 1Monitor cert expiry proactively.
  • 2Rotate certs manually before planned outages.
Previous ScenarioNext Scenario