Skip to content

The `rke2 certificate check` command does not check the kube-controller-manager and kube-scheduler certificates in Rancher-provisioned RKE2 cluster

This document (000021676) is provided subject to the disclaimer at the end of this document.

Environment

  • Rancher v2.7+
  • A Rancher-provisioned RKE2 cluster

Situation

When the `rke certificate check` command is run on a server node in an Rancher-provisioned RKE2 cluster, output is missing for both the kube-controller-manager and kube-scheduler certificates, when compared with the output for a standalone RKE2 cluster:

$ rke2 certificate check
INFO[0000] Server detected, checking agent and server certificates
INFO[0000] Checking certificates for kube-proxy
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-proxy.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for kubelet
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=system:node:test-rancheragent-rke2-all-0,O=system:nodes is ok, expires at 2026-02-07T09:50:10Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=test-rancheragent-rke2-all-0 is ok, expires at 2026-02-07T09:50:09Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=rke2-server-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for rke2-controller
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-controller.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for api-server
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=system:apiserver,O=system:masters is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=kube-apiserver is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=rke2-server-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for cloud-controller
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-cloud-controller-manager is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for scheduler
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=system:kube-scheduler is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for supervisor
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=system:rke2-supervisor,O=system:masters is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for admin
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=system:admin,O=system:masters is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for auth-proxy
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=system:auth-proxy is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=rke2-request-header-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for controller-manager
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=system:kube-controller-manager is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for etcd
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-client is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-server-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z

Resolution

For Rancher-provisioned RKE2 clusters, the cluster certificates should be managed and rotated by Rancher, versus the rke2 command directly. Documentation on rotating RKE2 certificates for Rancher-provisioned RKE2 clusters can be found at https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/manage-clusters/rotate-certificates

Cause

In a Rancher-provisioned RKE2 cluster, there are two new certificates not managed by RKE2 itself:

  • /var/lib/rancher/rke2/server/tls/kube-scheduler/
  • kube-scheduler.key
  • kube-scheduler.crt
  • /var/lib/rancher/rke2/server/tls/kube-controller-manager/
  • kube-controller-manager.crt
  • kube-controller-manager.key

These certificates are not created and managed by the RKE2 supervisor process. Instead, they are managed by custom kube-controller-manager and kube-scheduler args added by Rancher that instruct the controller-manager and kube-scheduler to create self-signed certs in these locations.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.