# FM-KED-006 — Kubernetes Cluster Certificate Expiration

**Severity:**<span style="white-space: pre-wrap;"> S1 — Critical</span>  
**Recovery Class:**<span style="white-space: pre-wrap;"> B — Standard Recovery</span>  
**Covered by Monthly Support:**<span style="white-space: pre-wrap;"> Yes</span>

---

### Description

Internal Kubernetes certificates expire, leading to partial or complete cluster malfunction. This may affect control plane communication, node registration, API access, or workload scheduling.

This issue typically appears in long-running clusters where certificate rotation was not automated or monitored.

---

### Typical Symptoms

- `<span class="editor-theme-code">kubectl</span>`<span style="white-space: pre-wrap;"> commands failing with TLS or x509 errors</span>
- <span style="white-space: pre-wrap;">Nodes switching to </span>`<span class="editor-theme-code">NotReady</span>`<span style="white-space: pre-wrap;"> state</span>
- Control plane components restarting or failing
- Ingress, networking, or admission controllers malfunctioning

---

### Diagnostic Checklist

#### Verify Certificate Expiration

On control plane node:

```bash
sudo kubeadm certs check-expiration
```

<span style="white-space: pre-wrap;">If </span>`<span class="editor-theme-code">kubeadm</span>`<span style="white-space: pre-wrap;"> is not available, inspect certificates directly:</span>

```bash
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -dates
```

---

### Recovery Procedure

<span style="white-space: pre-wrap;">⚠️ Perform these steps on the </span>**control plane node**  
⚠️ Requires administrative access

---

#### 1. Renew Kubernetes Certificates

```bash
sudo kubeadm certs renew all
```

This renews all cluster certificates managed by kubeadm.

---

#### 2. Restart Control Plane Components

```bash
sudo systemctl restart kubelet
```

Kubernetes will automatically recreate static pods for:

- kube-apiserver
- kube-controller-manager
- kube-scheduler

---

#### 3. Refresh Local kubeconfig Files

```bash
sudo cp /etc/kubernetes/admin.conf ~/.kube/config
sudo chown $(id -u):$(id -g) ~/.kube/config
```

Repeat for any other kubeconfig files in use.

---

#### 4. Verify Cluster Health

```bash
kubectl get nodes
kubectl get pods -A
```

<span style="white-space: pre-wrap;">Ensure all nodes return to </span>`<span class="editor-theme-code">Ready</span>`<span style="white-space: pre-wrap;"> state and system pods stabilize.</span>

---

### Preventive Notes

- Monitor certificate expiration dates regularly
- Schedule certificate renewal before expiration
- Prefer automated rotation where supported
- Avoid running clusters indefinitely without maintenance

---

### Responsibility Boundary

Finmars SCSA provides best-effort operational guidance.  
Clusters not managed via kubeadm or heavily customized may require additional investigation beyond standard support scope.

---