Back to all scenarios
Scenario #293
Security
Kubernetes v1.21, Kubeadm-based cluster

Stale Node Certificates After Rejoining Cluster

A node was rejoined to the cluster using a stale certificate, giving it access it shouldn't have.

Find this helpful?
What Happened

A node that was previously removed was added back using an old /var/lib/kubelet/pki/kubelet-client.crt, which was still valid.

Diagnosis Steps
  • 1Compared certificate expiry and usage.
  • 2Found stale kubelet cert on rejoined node.
  • 3Verified node had been deleted previously.
Root Cause

Old credentials not purged before node rejoin.

Fix/Workaround
• Manually deleted old certificates from the node.
• Set short TTLs for client certificates.
Lessons Learned

Node certs should be one-time-use and short-lived.

How to Avoid
  • 1Rotate node credentials regularly.
  • 2Use automation to purge sensitive files before rejoining.
Previous ScenarioNext Scenario