LambdaStack Certificates

PKI certificates management

TLS certificates in a cluster

It's possible to regenerate Kubernetes control plane certificates with LambdaStack. To do so, additional configuration should be specified.

kind: configuration/kubernetes-master
title: "Kubernetes Control Plane Config"
name: default
provider: <provider>
      expiration_days: <int>
      renew: true

Parameters (optional):

  1. expiration_days - days to expire in, default value is 365
  2. renew - whether to renew certificates or not, default value is false


Usage of values greater than 24855 for expiration_days is not possible. For more information see discussion about that.

When lscly apply executes, if renew option is set to true, following certificates will be renewed with expiration period defined by expiration_days:

  1. admin.conf
  2. apiserver
  3. apiserver-etcd-client
  4. apiserver-kubelet-client
  5. controller-manager.conf
  6. etcd-healthcheck-client
  7. etcd-peer
  8. etcd-server
  9. front-proxy-client
  10. scheduler.conf


kubelet.conf is not renewed because kubelet is configured for automatic certificate renewal. To verify that, navigate to /var/lib/kubelet/ and check config.yaml file, where rotateCertificates setting is true by default.

CA certificates rotation

This part cannot be done by LambdaStack. Refer to official Kubernetes documentation to perform this task.


  1. Best practices
  2. Certificates management by kubeadm
  3. Kubernetes the hard way
  4. Certificates generation with cfssl