In order for CONSOLE-2976 to be successful, they need to be able to retrieve: 

• The kube-apiserver-to-kubelet-signer certificate expiry date
• Potentially how long the pool has been paused (this might be good for telemetry later)

To do this, we're going to have to annotate the machine config pool with this information. 

If we want the certificate expiry annotation to be generically useful and be there regardless of whether the pool is paused, we'll probably have to move the certificate check to the render controller instead of the node controller (so it gets added when the config gets assigned, not when the pool is paused), but if not,  we can leave it where it is. 

So yes, probably two annotations: 

• One with the certificate expiry date in it
• The other with "paused at" in it, that specifies the time in UTC when the pool was paused