# RELEASE_IMAGE=<release_image> (1)
- Documentation
- OpenShift Container Platform
- Backup and restore
- Disaster recovery
- Recovering from expired control plane certificates history
Soon, all Red Hat OpenShift documentation will only be available on docs.redhat.com, the official location of all Red Hat product documentation. Get familiar with the updated experience today!
- About
- Release notes
- Architecture
- Installing
- Installing on AWS
- Configuring an AWS account
- Manually creating IAM
- Installing a cluster quickly on AWS
- Installing a cluster on AWS with customizations
- Installing a cluster on AWS with network customizations
- Installing a cluster on AWS into an existing VPC
- Installing a private cluster on AWS
- Installing a cluster on AWS using CloudFormation templates
- Installing a cluster on AWS in a restricted network
- Uninstalling a cluster on AWS
- Installing on Azure
- Configuring an Azure account
- Manually creating IAM
- Installing a cluster quickly on Azure
- Installing a cluster on Azure with customizations
- Installing a cluster on Azure with network customizations
- Installing a cluster on Azure into an existing VNet
- Installing a private cluster on Azure
- Installing a cluster on Azure using ARM templates
- Uninstalling a cluster on Azure
- Installing on GCP
- Configuring a GCP project
- Manually creating IAM
- Installing a cluster quickly on GCP
- Installing a cluster on GCP with customizations
- Installing a cluster on GCP with network customizations
- Installing a cluster on GCP into an existing VPC
- Installing a private cluster on GCP
- Installing a cluster on GCP using Deployment Manager templates
- Restricted network GCP installation
- Uninstalling a cluster on GCP
- Installing on bare metal
- Installing on IBM Z and LinuxONE
- Installing on IBM Power
- Installing on OpenStack
- Installing on vSphere
- Gathering installation logs
- Support for FIPS cryptography
- Installation configuration
- Installing on AWS
- Updating clusters
- Support
- Web console
- Authentication
- Understanding authentication
- Certificate types and descriptions
- Configuring the internal OAuth server
- Understanding identity provider configuration
- Configuring identity providers
- Configuring an HTPasswd identity provider
- Configuring a Keystone identity provider
- Configuring an LDAP identity provider
- Configuring a basic authentication identity provider
- Configuring a request header identity provider
- Configuring a GitHub or GitHub Enterprise identity provider
- Configuring a GitLab identity provider
- Configuring a Google identity provider
- Configuring an OpenID Connect identity provider
- Configuring certificates
- Using RBAC to define and apply permissions
- Removing the kubeadmin user
- Configuring the user agent
- Understanding and creating service accounts
- Using service accounts in applications
- Using a service account as an OAuth client
- Scoping tokens
- Managing Security Context Constraints
- Impersonating the system:admin user
- Syncing LDAP groups
- Allowing JavaScript-based access to the API server from additional hosts
- Encrypting etcd data
- Networking
- Understanding networking
- Accessing hosts
- Understanding the Cluster Network Operator (CNO)
- Understanding the DNS Operator
- Understanding the Ingress Operator
- Network policy
- Multiple networks
- Understanding multiple networks
- Attaching a Pod to an additional network
- Removing a Pod from an additional network
- Configuring a bridge network
- Configuring a macvlan network
- Configuring an ipvlan network
- Configuring a host-device network
- Editing an additional network
- Removing an additional network
- Configuring PTP
- Hardware networks
- OpenShift SDN default CNI network provider
- Configuring Routes
- Configuring ingress cluster traffic
- Configuring the cluster-wide proxy
- Configuring a custom PKI
- Storage
- Understanding ephemeral storage
- Understanding persistent storage
- Configuring persistent storage
- Persistent storage using Amazon EFS
- Persistent storage using AWS Elastic Block Store
- Persistent storage using Azure Disk
- Persistent storage using Azure File
- Persistent storage using Cinder
- Persistent storage using Container Storage Interface (CSI)
- Persistent storage using Fibre Channel
- Persistent storage using FlexVolume
- Persistent storage using GCE Persistent Disk
- Persistent storage using hostPath
- Persistent Storage using iSCSI
- Persistent storage using local volumes
- Persistent storage using NFS
- Persistent storage using Red Hat OpenShift Container Storage
- Persistent storage using VMware vSphere
- Expanding persistent volumes
- Dynamic provisioning
- Registry
- Operators
- Understanding Operators
- Understanding the Operator Lifecycle Manager (OLM)
- Understanding the OperatorHub
- Adding Operators to a cluster
- Configuring proxy support
- Deleting Operators from a cluster
- Creating applications from installed Operators
- Viewing Operator status
- Creating policy for Operator installations and upgrades
- Using OLM on restricted networks
- CRDs
- Operator SDK
- Builds
- Understanding image builds
- Understanding build configurations
- Creating build inputs
- Managing build output
- Using build strategies
- Custom image builds with Buildah
- Performing basic builds
- Triggering and modifying builds
- Performing advanced builds
- Using Red Hat subscriptions in builds
- Securing builds by strategy
- Build configuration resources
- Troubleshooting builds
- Setting up additional trusted certificate authorities for builds
- Creating and using ConfigMaps
- Images
- Applications
- Machine management
- Nodes
- Working with pods
- Controlling pod placement onto nodes (scheduling)
- About pod placement using the scheduler
- Configuring the default scheduler to control pod placement
- Placing pods relative to other pods using pod affinity and anti-affinity rules
- Controlling pod placement on nodes using node affinity rules
- Placing pods onto overcommited nodes
- Controlling pod placement using node taints
- Placing pods on specific nodes using node selectors
- Using Jobs and DaemonSets
- Working with nodes
- Viewing and listing the nodes in your cluster
- Working with nodes
- Managing Nodes
- Managing the maximum number of Pods per Node
- Using the Node Tuning Operator
- Understanding node rebooting
- Freeing node resources using garbage collection
- Allocating resources for nodes
- Viewing node audit logs
- Machine Config Daemon metrics
- Working with containers
- Using containers
- Using Init Containers to perform tasks before a pod is deployed
- Using volumes to persist container data
- Mapping volumes using projected volumes
- Allowing containers to consume API objects
- Copying files to or from a container
- Executing remote commands in a container
- Using port forwarding to access applications in a container
- Using sysctls in containers
- Working with clusters
- Logging
- About cluster logging
- About deploying cluster logging
- Deploying cluster logging
- Updating cluster logging
- Viewing cluster logs
- Viewing cluster logs using Kibana
- Configuring your cluster logging deployment
- About configuring cluster logging
- Changing cluster logging management state
- Configuring cluster logging
- Configuring Elasticsearch
- Configuring Kibana
- Configuring Curator
- Configuring the logging collector
- Collecting and storing Kubernetes events
- Using tolerations to control cluster logging pod placement
- Forward logs to third party systems
- Configuring systemd-journald for cluster logging
- Viewing Elasticsearch status
- Viewing cluster logging status
- Moving the cluster logging resources with node selectors
- Manually rolling out Elasticsearch
- Troubleshooting Kibana
- Exported fields
- Uninstalling cluster logging
- Monitoring
- Metering
- Scalability and performance
- Recommended installation practices
- Recommended host practices
- Recommended cluster scaling practices
- Using the Node Tuning Operator
- Using Cluster Loader
- Using CPU Manager
- Using Topology Manager
- Scaling the Cluster Monitoring Operator
- Planning your environment according to object maximums
- Optimizing storage
- Optimizing routing
- What huge pages do and how they are consumed by apps
- Backup and restore
- Migration
- Migrating from OpenShift Container Platform 3
- About migrating from OpenShift Container Platform 3 to 4
- Planning your migration from OpenShift Container Platform 3 to 4
- Migration tools and prerequisites
- Deploying the Cluster Application Migration tool
- Configuring a replication repository
- Migrating applications with the CAM web console
- Migrating control plane settings with the Control Plane Migration Assistant
- Troubleshooting
- Migrating from OpenShift Container Platform 4.1
- Migrating from OpenShift Container Platform 4.2 and later
- Migrating from OpenShift Container Platform 3
- CLI tools
- OpenShift CLI (oc)
- OpenShift Do developer CLI (odo)
- Understanding odo
- odo architecture
- Installing odo
- Using odo in a restricted environment
- Creating a single-component application with odo
- Creating a multicomponent application with odo
- Creating an application with a database
- Using sample applications
- Debugging applications in odo
- Managing environment variables in odo
- Configuring the odo CLI
- odo CLI reference
- odo release notes
- Helm CLI
- Knative CLI (kn) for use with OpenShift Serverless
- OpenShift REST APIs
- Service Mesh
- Service Mesh 1.x
- Service Mesh 1.x release notes
- Service Mesh architecture
- Service Mesh and Istio differences
- Preparing to install Service Mesh
- Installing Service Mesh
- Customizing the installation
- Deploying applications on Service Mesh
- Data visualization and observability
- Security
- Traffic management
- Using the 3scale Istio adapter
- Service Mesh 1.x
- Jaeger
- Container-native virtualization
- About container-native virtualization
- Container-native virtualization release notes
- Container-native virtualization installation
- Upgrading container-native virtualization
- Using the CLI tools
- Virtual machines
- Creating virtual machines
- Editing virtual machines
- Deleting virtual machines
- Controlling virtual machines states
- Accessing virtual machine consoles
- Installing VirtIO driver on an existing Windows virtual machine
- Installing VirtIO driver on a new Windows virtual machine
- Advanced virtual machine management
- Importing virtual machines
- Cloning virtual machines
- Virtual machine networking
- Virtual machine disks
- Configuring local storage for virtual machines
- Uploading local disk images by using the virtctl tool
- Uploading a local disk image to a block storage DataVolume
- Moving a local virtual machine disk to a different node
- Expanding virtual storage by adding blank disk images
- Storage defaults for DataVolumes
- Preparing CDI scratch space
- Virtual machine templates
- Live migration
- Node maintenance
- Logging, events, and monitoring
- Serverless applications
×
Recovering from expired control plane certificates
Recovering from expired control plane certificates
Follow this procedure to recover from a situation where your control plane certificates have expired.
Prerequisites
-
SSH access to master hosts.
Procedure
-
Access a master host with an expired certificate as the root user.
-
Obtain the
cluster-kube-apiserver-operatorimage reference for a release.1 An example value for <release_image>isquay.io/openshift-release-dev/ocp-release:4.3.0-x86_64. See the Repository Tags page for a list of available tags.# KAO_IMAGE=$( oc adm release info --registry-config='/var/lib/kubelet/config.json' "${RELEASE_IMAGE}" --image-for=cluster-kube-apiserver-operator ) -
Pull the
cluster-kube-apiserver-operatorimage.# podman pull --authfile=/var/lib/kubelet/config.json "${KAO_IMAGE}" -
Create a recovery API server.
# podman run -it --network=host -v /etc/kubernetes/:/etc/kubernetes/:Z --entrypoint=/usr/bin/cluster-kube-apiserver-operator "${KAO_IMAGE}" recovery-apiserver create -
Run the
export KUBECONFIGcommand from the output of the above command, which is needed for theoccommands later in this procedure.# export KUBECONFIG=/<path_to_recovery_kubeconfig>/admin.kubeconfig
-
Wait for the recovery API server to come up.
# until oc get namespace kube-system 2>/dev/null 1>&2; do echo 'Waiting for recovery apiserver to come up.'; sleep 1; done
-
Run the
regenerate-certificatescommand. It fixes the certificates in the API, overwrites the old certificates on the local drive, and restarts static Pods to pick them up.# podman run -it --network=host -v /etc/kubernetes/:/etc/kubernetes/:Z --entrypoint=/usr/bin/cluster-kube-apiserver-operator "${KAO_IMAGE}" regenerate-certificates -
After the certificates are fixed in the API, use the following commands to force new rollouts for the control plane. It will reinstall itself on the other nodes because the kubelet is connected to API servers using an internal load balancer.
# oc patch kubeapiserver cluster -p='{"spec": {"forceRedeploymentReason": "recovery-'"$( date --rfc-3339=ns )"'"}}' --type=merge# oc patch kubecontrollermanager cluster -p='{"spec": {"forceRedeploymentReason": "recovery-'"$( date --rfc-3339=ns )"'"}}' --type=merge# oc patch kubescheduler cluster -p='{"spec": {"forceRedeploymentReason": "recovery-'"$( date --rfc-3339=ns )"'"}}' --type=merge -
Create a bootstrap kubeconfig with a valid user.
-
Run the
recover-kubeconfig.shscript and save the output to a file calledkubeconfig.# recover-kubeconfig.sh > kubeconfig
-
Copy the
kubeconfigfile to all master hosts and move it to/etc/kubernetes/kubeconfig. -
Get the CA certificate used to validate connections from the API server.
# oc get configmap kube-apiserver-to-kubelet-client-ca -n openshift-kube-apiserver-operator --template='{{ index .data "ca-bundle.crt" }}' > /etc/kubernetes/kubelet-ca.crt -
Copy the
/etc/kubernetes/kubelet-ca.crtfile to all other master hosts and nodes. -
Add the
machine-config-daemon-forcefile to all master hosts and nodes to force the Machine Config Daemon to accept this certificate update.# touch /run/machine-config-daemon-force
-
-
Recover the kubelet on all masters.
-
On a master host, stop the kubelet.
# systemctl stop kubelet
-
Delete stale kubelet data.
# rm -rf /var/lib/kubelet/pki /var/lib/kubelet/kubeconfig
-
Restart the kubelet.
# systemctl start kubelet
-
Repeat these steps on all other master hosts.
-
-
If necessary, recover the kubelet on the worker nodes.
After the master nodes are restored, the worker nodes might restore themselves. You can verify this by running the
oc get nodescommand. If the worker nodes are not listed, then perform the following steps on each worker node.-
Stop the kubelet.
# systemctl stop kubelet
-
Delete stale kubelet data.
# rm -rf /var/lib/kubelet/pki /var/lib/kubelet/kubeconfig
-
Restart the kubelet.
# systemctl start kubelet
-
-
Approve the pending
node-bootstrappercertificates signing requests (CSRs).-
Get the list of current CSRs.
# oc get csr
-
Review the details of a CSR to verify it is valid.
# oc describe csr <csr_name> (1)
1 <csr_name>is the name of a CSR from the list of current CSRs. -
Approve each valid CSR.
# oc adm certificate approve <csr_name>
Be sure to approve all pending
node-bootstrapperCSRs.
-
-
Destroy the recovery API server because it is no longer needed.
# podman run -it --network=host -v /etc/kubernetes/:/etc/kubernetes/:Z --entrypoint=/usr/bin/cluster-kube-apiserver-operator "${KAO_IMAGE}" recovery-apiserver destroyWait for the control plane to restart and pick up the new certificates. This might take up to 10 minutes.