Skip to content

The rke2 and k3s certificate check command does not check the kube-controller-manager and kube-scheduler certificates in Rancher-provisioned clusters, prior to May 2025 releases

Article Number: 000021676

Environment

  • Rancher v2.7+
  • A Rancher-provisioned RKE2 cluster < v1.30.13+rke2r1, v1.31.9+rke2r1, v1.32.5+rke2r1, or v1.33.1+rke2r1; or a Rancher-provisioned K3s cluster < v1.30.13+k3s1, v1.31.9+k3s1, v1.32.5+k3s1, or v1.33.1+k3s1

Situation

When the `rke2 certificate check` or `k3s certificate check` command is run on a server node in a Rancher-provisioned cluster, for an RKE2 or K3s version released prior to May 2025, output is missing for both the kube-controller-manager and kube-scheduler certificates, when compared with the output for a standalone cluster:

$ rke2 certificate check
INFO[0000] Server detected, checking agent and server certificates
INFO[0000] Checking certificates for kube-proxy
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-proxy.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for kubelet
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=system:node:test-rancheragent-rke2-all-0,O=system:nodes is ok, expires at 2026-02-07T09:50:10Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=test-rancheragent-rke2-all-0 is ok, expires at 2026-02-07T09:50:09Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=rke2-server-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for rke2-controller
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-controller.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for api-server
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=system:apiserver,O=system:masters is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=kube-apiserver is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=rke2-server-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for cloud-controller
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-cloud-controller-manager is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for scheduler
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=system:kube-scheduler is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for supervisor
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=system:rke2-supervisor,O=system:masters is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for admin
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=system:admin,O=system:masters is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for auth-proxy
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=system:auth-proxy is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=rke2-request-header-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for controller-manager
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=system:kube-controller-manager is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=rke2-client-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] Checking certificates for etcd
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-client is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-server-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer is ok, expires at 2026-02-07T09:41:47Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer-ca@1738921307 is ok, expires at 2035-02-05T09:41:47Z

Cause

In earlier RKE2 and K3s releases, per the versions in the Environment section, the certificates for the kube-scheduler and kube-controller-manager components were not generated by the RKE2/K3s supervisor process, but were auto-generated by the components themselves. In Rancher-provisioned clusters, these certificates were generated in component-specific subdirectories within the rke2 server tls directory, per the --cert-dir argument passed to the kube-scheduler and kube-controller-manager. These directories were not included in the checks performed by the `rke2 certificate check` and `k3s certificate check` commands. This behaviour was changed in the May 2025 releases. In these releases and later, the RKE2/supervisor process generates the kube-scheduler and kube-controller-manager certificates within these subdirectories, and they are included in the certificate check commands.

Resolution

Upgrade the RKE2 or K3s cluster to a May 2025 release or later, per the versions in the Environment section above.