Regenerate master certificates to kubernetes cluster

Question

We have a few k8s clusters in AWS that were created using Kops.
We are trying to improve security by setting up RBAC using service accounts and users.
Unfortunately, some of our devs were given the master/admin certificates.
Would it be possible to regenerate the master certificates without creating a new cluster?

Other best practices related to security would also be appreciated! Thanks.

Looks like a duplicate of https://stackoverflow.com/questions/52005814/rotate-certificate-for-kubernetes-in-a-kops-managed-cluster — Ole Markus With, Apr 12 '21 at 19:29
Hello @JezreelRavina Does the above question solve your issue? — Wytrzymały Wiktor, Apr 13 '21 at 06:33
I see, thanks for this @OleMarkusWith. Did not see this post. — Jezreel Ravina, Apr 13 '21 at 20:27

score 1 · Accepted Answer · answered Apr 15 '21 at 12:05

This is a community wiki answer based on a solution from a similar question. Feel free to expand it.

As already mentioned in the comments, the answer to your question boils down to the below conclusions:

Currently there is no easy way to roll certificates without disruptions
You cannot disable certificates as Kubernetes relies on the PKI to authenticate
Rotating secrets should be graceful in the future as stated in this PR

Regenerate master certificates to kubernetes cluster

1 Answers1