Rotate your cluster credentials

This page explains how to perform a credential rotation in Google Kubernetes Engine (GKE) clusters running version 1.16.10-gke.8 and later.

Overview

You can perform a credential rotation to revoke and issue new credentials for your cluster. This rotates the cluster root Certificate Authority (CA) private key, and all certificates and private keys signed by that CA, including the cluster client certificate (from the MasterAuth API field), the key and certificate for the API server, and the kubelet client certificates. For more information on how these credentials are used by your cluster, refer to Cluster trust.

We recommend that you rotate your credentials regularly to reduce credential lifetime and further secure your GKE cluster.

In addition to rotating credentials, credential rotation also performs an IP rotation.

Before you begin

Before you start, make sure you have performed the following tasks:

  • Ensure that you have enabled the Google Kubernetes Engine API.
  • Enable Google Kubernetes Engine API
  • Ensure that you have installed the Cloud SDK.
  • Set up default gcloud command-line tool settings for your project by using one of the following methods:
    • Use gcloud init, if you want to be walked through setting project defaults.
    • Use gcloud config, to individually set your project ID, zone, and region.

    gcloud init

    1. Run gcloud init and follow the directions:

      gcloud init

      If you are using SSH on a remote server, use the --console-only flag to prevent the command from launching a browser:

      gcloud init --console-only
    2. Follow the instructions to authorize the gcloud tool to use your Google Cloud account.
    3. Create a new configuration or select an existing one.
    4. Choose a Google Cloud project.
    5. Choose a default Compute Engine zone.
    6. Choose a default Compute Engine region.

    gcloud config

    1. Set your default project ID:
      gcloud config set project PROJECT_ID
    2. Set your default Compute Engine region (for example, us-central1):
      gcloud config set compute/region COMPUTE_REGION
    3. Set your default Compute Engine zone (for example, us-central1-c):
      gcloud config set compute/zone COMPUTE_ZONE
    4. Update gcloud to the latest version:
      gcloud components update

    By setting default locations, you can avoid errors in gcloud tool like the following: One of [--zone, --region] must be supplied: Please specify location.

Check credential lifetime

We recommend that you check your credential lifetime before and after you perform a credential rotation so that you know the validity of your cluster root CA.

To check your credential lifetime, run the following command:

gcloud container clusters describe CLUSTER_NAME \
    --format "value(masterAuth.clusterCaCertificate)" \
    | base64 --decode \
    | openssl x509 -text \
    | grep Validity -A 2

The output is similar to the following:

        Validity
            Not Before: Nov  1 22:59:44 2021 GMT
            Not After : Oct 25 23:59:44 2051 GMT

Perform a credential rotation

Credential rotation involves the following steps:

  1. Start the rotation: the control plane starts serving on a new IP address in addition to the original IP address. New credentials are issued to workloads and the control plane.
  2. Update API clients: after starting the rotation, update any cluster API clients, such as development machines using kubectl, to communicate with the control plane using the new IP address.
  3. Complete the rotation: the control plane stops serving traffic over the original IP address. Old credentials are revoked.

Start the rotation

To start a credential rotation, run the following command:

gcloud container clusters update CLUSTER_NAME \
    --start-credential-rotation

This command creates new credentials, issues these credentials to the control plane, and configures the control plane to serve on two IP addresses: the original IP and a new IP.

After the control plane has been reconfigured, GKE automatically updates your cluster's nodes to use the new IP and credentials. Each node pool is marked for recreation. GKE does not finish the credential rotation until the automatic recreation is complete.

If you use maintenance windows, your nodes are not recreated until a maintenance window occurs. You can manually recreate all nodes by running the gcloud container clusters upgrade command and passing the --cluster-version flag with the same GKE version that the node pool is already running. For more information, see caveats for maintenance windows.

Inspect the rotation

  1. To monitor the rotation operation, run the following command:

    gcloud container operations list \
        --filter="operationType=UPGRADE_NODES AND status=RUNNING" \
        --format="value(name)"
    

    This command returns the operation ID of the node upgrade operation.

  2. To poll the operation, pass the operation ID to the following command:

    gcloud container operations wait OPERATION_ID
    

Node pools are recreated one-by-one, and each has its own operation. If you have multiple node pools, you can use the above instructions to poll each operation.

Update API clients

After starting the credential rotation, you must update all API clients outside the cluster (such as kubectl on developer machines) to use the new credentials and point to the new IP address of the control plane.

To update your API clients, run the following command for each client:

gcloud container clusters get-credentials CLUSTER_NAME

Complete the rotation

After updating API clients outside the cluster, complete the rotation to configure the control plane to serve only with the new credentials and the new IP address:

gcloud container clusters update CLUSTER_NAME \
    --complete-credential-rotation

What's next