Stay organized with collections
Save and categorize content based on your preferences.
This document describes periodic maintenance that is required for your
Google Distributed Cloud clusters.
Rotate certificate authorities
The certificate authorities (CAs) in a cluster are valid for ten years, so you
must
rotate your CAs
at least once every ten years.
Certificates for cluster components
Cluster components use certificates for authentication. These components
include kube-apiserver, kube-controller-manager, kube-scheduler, etcd
and kubelet. The certificates are valid for one year and are renewed during
cluster upgrade. To prevent the certificates from
expiring, you must upgrade your cluster at least once a year.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-02 UTC."],[],[],null,["This document describes periodic maintenance that is required for your\nGoogle Distributed Cloud clusters.\n\nRotate certificate authorities\n\nThe certificate authorities (CAs) in a cluster are valid for ten years, so you\nmust\n[rotate your CAs](/kubernetes-engine/distributed-cloud/bare-metal/docs/how-to/ca-rotation)\nat least once every ten years.\n\nCertificates for cluster components\n\nCluster components use certificates for authentication. These components\ninclude `kube-apiserver`, `kube-controller-manager`, `kube-scheduler`, `etcd`\nand `kubelet`. The certificates are valid for one year and are renewed during\ncluster [upgrade](/kubernetes-engine/distributed-cloud/bare-metal/docs/how-to/upgrade). To prevent the certificates from\nexpiring, you must upgrade your cluster at least once a year.\n\nIf the cluster certificates have expired, they must be\n[renewed manually](/kubernetes-engine/distributed-cloud/bare-metal/docs/troubleshooting/expired-certs). For more\ninformation, see\n[Certificate expiration](/kubernetes-engine/distributed-cloud/bare-metal/docs/troubleshooting/failure-mode-analysis#certificate_expiration)."]]
