I'm using kubeadm to build k8s cluster and default ssl certs will be used in 1 year. I plan use cfssl or opensll to gen new certs with 10 years use. Could anynone pls help me.
Thanks all
You can generate certs using cfssl or openssl and store in a directory and specify that directory in Kubeadm init and kubeadm will not generate certs and use the provided certs.
kubeadm init --cert-dirhttps://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#custom-certificates
Kubeadm also provides cert renew mechanism for renewing certs for 1 year.
kubeadm alpha certs renewSince you have a running cluster which signs certs with 1 year of validity you can change this flag of kube controller manager default duration of cert signed to sign certs for 10 years.
--experimental-cluster-signing-duration duration Default: 8760h0m0s Once this is done you can use below guide to sign cert valid for 10 years.