This document describes periodic maintenance that is required for your Google Distributed Cloud clusters.
Rotate certificate authorities
The certificate authorities (CAs) in a cluster are valid for ten years, so you must rotate your CAs at least once every ten years.
Certificates for cluster components
Cluster components use certificates for authentication. These components
include kube-apiserver
, kube-controller-manager
, kube-scheduler
, etcd
and kubelet
. The certificates are valid for one year and are renewed during
cluster upgrade. To prevent the certificates from
expiring, you must upgrade your cluster at least once a year.
If the cluster certificates have expired, they must be renewed manually. For more information, see Certificate expiration.