Version 1.15. This version is no longer supported. For information about how to upgrade to version 1.16, seeUpgrade clustersin the latest documentation. For more information about supported and unsupported versions, see theVersion historypage in the latest documentation.
This document describes periodic maintenance that is required for your
Google Distributed Cloud clusters.
Rotate certificate authorities
The certificate authorities (CAs) in a cluster are valid for five years, so you
mustrotate your CAsat least once every five years.
Certificates for cluster components
Cluster components use certificates for authentication. These components
includekube-apiserver,kube-controller-manager,kube-scheduler,etcdandkubelet. The certificates are valid for one year and are renewed during
clusterupgrade. To prevent the certificates from
expiring, you must upgrade your cluster at least once a year.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eCertificate authorities (CAs) in Google Distributed Cloud clusters must be rotated at least once every five years due to their five-year validity.\u003c/p\u003e\n"],["\u003cp\u003eCluster components rely on certificates for authentication, which are valid for one year and are renewed during cluster upgrades.\u003c/p\u003e\n"],["\u003cp\u003eTo prevent certificate expiration, clusters must be upgraded at least annually.\u003c/p\u003e\n"],["\u003cp\u003eExpired cluster certificates must be manually renewed if the upgrade is not completed.\u003c/p\u003e\n"]]],[],null,["# Required periodic maintenance\n\n\u003cbr /\u003e\n\nThis document describes periodic maintenance that is required for your\nGoogle Distributed Cloud clusters.\n\nRotate certificate authorities\n------------------------------\n\nThe certificate authorities (CAs) in a cluster are valid for five years, so you\nmust\n[rotate your CAs](/anthos/clusters/docs/bare-metal/1.15/how-to/ca-rotation)\nat least once every five years.\n\nCertificates for cluster components\n-----------------------------------\n\nCluster components use certificates for authentication. These components\ninclude `kube-apiserver`, `kube-controller-manager`, `kube-scheduler`, `etcd`\nand `kubelet`. The certificates are valid for one year and are renewed during\ncluster [upgrade](/anthos/clusters/docs/bare-metal/1.15/how-to/upgrade). To prevent the certificates from\nexpiring, you must upgrade your cluster at least once a year.\n\nIf the cluster certificates have expired, they must be\n[renewed manually](/anthos/clusters/docs/bare-metal/1.15/troubleshooting/expired-certs). For more\ninformation, see\n[Certificate expiration](/anthos/clusters/docs/bare-metal/1.15/troubleshooting/failure-mode-analysis#certificate_expiration)."]]
