Kubernetes PKI and Certificate Management

Your cluster stops responding one morning. kubectl get nodes returns Unable to connect to the server: x509: certificate has expired or is not yet valid. The on-call page fires. You SSH into the control plane node and stare at /etc/kubernetes/pki/ with its 22 files and three subdirectories. Which certificate expired? How do you renew it without breaking the cluster further?

Certificate management sits squarely in the CKA Cluster Architecture domain (25%). The exam tests your ability to inspect, renew, and troubleshoot cluster certificates under time pressure. In production, expired certificates are one of the most common causes of total cluster outage, and they always seem to expire at 3 AM.