Question 18
Domain 5: TroubleshootingWhich set of kubectl/kubeadm commands is used to check expiring control-plane certificates, renew them with kubeadm, verify the renewal, and ensure the API server reloads the new certificates?
Correct answer: A
Explanation
`kubeadm certs check-expiration` is the command used to inspect control-plane certificate lifetimes, and `kubeadm certs renew all` renews the certificates managed by kubeadm. After renewal, running `kubeadm certs check-expiration` again verifies the new dates, and restarting the kube-apiserver static pod forces the API server to load the updated certificates.
Why each option is right or wrong
A. Use `kubeadm certs check-expiration`, then `kubeadm certs renew all`, verify with `kubeadm certs check-expiration` again, and restart the kube-apiserver static pod or control plane components so they use the renewed certificates.
`kubeadm certs check-expiration` is the documented kubeadm subcommand for listing control-plane certificate expiry dates, and `kubeadm certs renew all` renews all certificates managed by kubeadm under `/etc/kubernetes/pki`. After renewal, the same expiration check should show the updated validity periods, and because the API server runs as a static pod managed by the kubelet, it must be restarted so it reopens the renewed cert files and serves with the new certificates.
B. Use `kubectl get csr` to inspect expiry, then `kubectl certificate approve all`, and finally restart only the kubelet on the control-plane node to rotate the API server certificates.
C. Use `kubeadm token create --print-join-command` to refresh cluster credentials, then run `kubectl rollout restart deployment/kube-apiserver` to apply the new certificates.
D. Use `openssl x509 -noout -enddate` on the client machine, then delete `/etc/kubernetes/pki`, and let the API server automatically recreate certificates on the next request.