-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.14, 4.15, 4.16, 4.17, 4.18, 4.19, 4.20
-
None
-
None
-
False
-
-
None
-
Important
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Prior to OCP 4.13, pausing a MCP could prevent the kubelet CA from being renewed. Starting from OCP 4.14, /etc/kubernetes/kubelet-ca.crt is updated without going through the MCP, so the kubelet CA will effectively no longer expire. The description in the document below is outdated and may cause confusion for customers, so it should be removed.
Important Pausing a machine config pool prevents the Machine Config Operator from applying any configuration changes on the associated nodes. Pausing an MCP also prevents any automatically rotated certificates from being pushed to the associated nodes, including the automatic CA rotation of the kube-apiserver-to-kubelet-signer CA certificate. If the MCP is paused when the kube-apiserver-to-kubelet-signer CA certificate expires and the MCO attempts to automatically renew the certificate, the MCO cannot push the newly rotated certificates to those nodes. This causes failure in multiple oc commands, including oc debug, oc logs, oc exec, and oc attach. You receive alerts in the Alerting UI of the OpenShift Container Platform web console if an MCP is paused when the certificates are rotated. Pausing an MCP should be done with careful consideration about the kube-apiserver-to-kubelet-signer CA certificate expiration and for short periods of time only.
If you are shutting the cluster down for an extended period, determine the date on which certificates expire and run the following command:
$ oc -n openshift-kube-apiserver-operator get secret kube-apiserver-to-kubelet-signer -o jsonpath='{.metadata.annotations.auth\.openshift\.io/certificate-not-after}'
Version-Release number of selected component (if applicable):
Red Hat OpenShift Container Platform 4.14 - 4.20
