TLS certificates in kubeconfig generated by Kubernetes Managed services come with a 15-year validity:
$ cat kubeconfig.yml | awk '/client-certificate-data/ {print $2}' | base64 -d | openssl x509 -inform pem -noout -text | head
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 42 (0x2a)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=ezdml7
Validity
Not Before: Aug 29 11:50:37 2024 GMT
Not After : Aug 26 11:51:37 2039 GMT
Subject: CN=kubernetes-admin, O=system:masters
As a reference kubeadm defaults is 1 year.
This practice goes against best practices, as periodically rotating certificates is necessary for security reasons.
TLS certificates in
kubeconfiggenerated by Kubernetes Managed services come with a 15-year validity:As a reference
kubeadmdefaults is 1 year. This practice goes against best practices, as periodically rotating certificates is necessary for security reasons.