Stop the Panic: How to Check Certificate Expiry in Kubernetes

Filed under: Kubernetes — shaik zillani @ 5:16 pm

Stop the Panic: How to Check Certificate Expiry in Kubernetes⏰🔒

Certificate expiration is a silent killer in Kubernetes. When the API Server’s certificates—or crucial service certificates—expire, your cluster can grind to a halt. You might lose the ability to deploy, scale, or even connect via kubectl.

Fortunately, checking these critical expiry dates is straightforward, primarily utilizing the kubectl command and the openssl utility.

Checking the Control Plane Certificates

The most critical certificates are those protecting the Kubernetes control plane components, typically stored in the /etc/kubernetes/pki directory on your control plane nodes.

Method A: Using `kubeadm` (Recommended for `kubeadm` setups)

If you initialized your cluster using kubeadm, it provides a built-in, simple command to audit the certificate health:

sudo kubeadm certs check-expiration

This command will output a table showing the remaining time (in days) until expiry for all managed certificates, including the API Server, Controller Manager, Scheduler, and Kubelet client certificates.

CERTIFICATE	EXPIRES	REMAINS	CERTIFICATE AUTHORITY
apiserver	Jan 01, 2026 00:00 UTC	365d	ca
apiserver-kubelet-client	Jan 01, 2026 00:00 UTC	365d	ca
front-proxy-client	Jan 01, 2026 00:00 UTC	365d	front-proxy-ca

Method B: Manual Check (For Custom or Non-`kubeadm` setups)

For the demo purpose, let’s create a secret first,

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365

Provide all the inputs for the above command, like country, common name, etc. cert.pem will be created.

Create a Secret

kubectl create secret generic mycert --from-file=./cert.pem

Fetch the cert data using kubectl and check the expiry using openssl

kubectl get secret mysecret --template={{.data.crt}} |base64 --decode | openssl x509 -enddate -noout

If the certificate key in the secret has DOT (.)

If the certificate has a secret with an extra dot like below, (tls.crt), then you can use -o=jsonpathwith kubectl.

apiVersion: v1
data:
  tls.crt: <cert-data>

Get certificate info by parsing using the jsonpath flag with the Escape \ character as shown below,

kubectl get secret dev-goacademy-tls -o=jsonpath='{.data.tls\.crt}' |base64 --decode |openssl x509 -enddate -noout
notAfter=Mar 1 15:38:50 2023 GMT

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

GitopsCentral