Version 1.16. This version is no longer supported. For information about how to upgrade to version 1.28, see Upgrade clusters in the latest documentation. For more information about supported and unsupported versions, see the Versioning page in the latest documentation.
This document describes periodic maintenance that is required for your
Google Distributed Cloud clusters.
Rotate certificate authorities
The certificate authorities (CAs) in a cluster are valid for five years, so you
must
rotate your CAs
at least once every five years.
Certificates for cluster components
Cluster components use certificates for authentication. These components
include kube-apiserver, kube-controller-manager, kube-scheduler, etcd
and kubelet. The certificates are valid for one year and are renewed during
cluster upgrade. To prevent the certificates from
expiring, you must upgrade your cluster at least once a year.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-05 UTC."],[[["Google Distributed Cloud cluster certificate authorities (CAs) need to be rotated at least once every five years because of their five-year validity."],["Certificates for cluster components like `kube-apiserver` and `etcd` are valid for one year and are renewed during cluster upgrades."],["Clusters must be upgraded at least once a year to prevent the cluster component certificates from expiring."],["Expired cluster certificates must be renewed manually, following specific instructions provided in the documentation."]]],[]]
