Back to all scenarios
Scenario #38
Cluster Management
K8s v1.19, kubeadm

API Server Certificate Expiry Blocking Cluster Access

After 1 year of uptime, API server certificate expired, blocking access to all components.

Find this helpful?
What Happened

Default kubeadm cert rotation didn’t occur, leading to expiry of API server and etcd peer certs.

Diagnosis Steps
  • 1kubectl failed with x509: certificate has expired.
  • 2Checked /etc/kubernetes/pki/apiserver.crt expiry date.
Root Cause

kubeadm certificates were never rotated or renewed.

Fix/Workaround
• Used kubeadm certs renew all.
• Restarted control plane components.
Lessons Learned

Certificates expire silently unless monitored.

How to Avoid
  • 1Rotate certs before expiry.
  • 2Monitor /metrics for cert validity.
Previous ScenarioNext Scenario