Recovering from expired control plane certificates

The cluster can automatically recover from expired control plane certificates.

However, you must manually approve the pending node-bootstrapper certificate signing requests (CSRs) to recover kubelet certificates. For user-provisioned installations, you might also need to approve pending kubelet serving CSRs.

Use the following steps to approve the pending CSRs:

  1. Get the list of current CSRs:

    $ oc get csr
    Example output
    NAME        AGE    SIGNERNAME                                    REQUESTOR                                                                   CONDITION
    csr-2s94x   8m3s                 system:node:<node_name>                                                     Pending (1)
    csr-4bd6t   8m3s                 system:node:<node_name>                                                     Pending (1)
    csr-4hl85   13m   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending (2)
    csr-zhhhp   3m8s   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending (2)
    1 A pending kubelet service CSR (for user-provisioned installations).
    2 A pending node-bootstrapper CSR.
  2. Review the details of a CSR to verify that it is valid:

    $ oc describe csr <csr_name> (1)
    1 <csr_name> is the name of a CSR from the list of current CSRs.
  3. Approve each valid node-bootstrapper CSR:

    $ oc adm certificate approve <csr_name>
  4. For user-provisioned installations, approve each valid kubelet serving CSR:

    $ oc adm certificate approve <csr_name>