k8s version :  1.4.0-beta 8

Hi everyone, It's already 5 hours that I'm trying to understand what are the mandatory operations to execute after regeneration of certificates + api keys in the masters ,

For now even if I do :

- regen certs + keys  
- restart kube-apiserver ( systemd service )  
- restart kubelet ( systemd service )  
- delete all kube-controller-manager pods ( and allow automatic recreation )   
- delete all kube-scheduler pods ( and allow automatic recreation )  
- delete all kube-proxy pods ( and allow automatic recreation )  
- delete service account ( in all namespaces )  
- delete  kubernetes.io/service-account-token in all namespaces  
- delete kube-dns pod ( to allow injection of new credential )   

Than if i log kube-dns I still getting "x509: certificate signed by unknown authority" ,

If i re-execute everything, also restarting docker, nothing changes,

** BUT **
If I restart all nodes (5 nodes, 3 masters) ( shutdown -r now ), when they come up, then it works... !

... without having to try all combinations ( that are many.. due to high number of components )

What are the only required (minimum ) steps ?

I think that this is a common operation but I've found no documentation about.. anywhere..