I am creating all the certs by myself, the reason behind that is

1. The kubernetes cluster we use might not be updated every year, so we need certificates with longer expiry. Our applications doesn't support random docker restart and we are not accepting the kubeadm phase command to regenerate the certificates and restart the docker. Hence we created all the certificates with 5 years of expiry and provided it to kubeadm and it is working fine. Now, we don't have to worry about our certificate expiry every year.

2. No kubeadm doesn't provide the auto rotate facility of certificates, this is the reason we needed longer expiry of certificates in the first place.

Hope this helps.

1. No major advantage. kubeadm does the same: generate self-signed certs. The only mini advantage is that you could add some custom values in the CSR, such as a City, Organization, etc.

2. Not really.

   • There's a kubelet certificate rotation flag --rotate-certificates that needs to be enabled.

   • There's also the certificate rotation from the masters and kubeadm can help with that with these commands:

     mkdir /etc/kubernetes/pkibak
     mv /etc/kubernetes/pki/* /etc/kubernetes/pkibak
     rm /etc/kubernetes/pki/*
     kubeadm init phase certs all --apiserver-advertise-address=0.0.0.0 --apiserver-cert-extra-sans=x.x.x.x,x.x.x.x
     systemctl restart docker
     

If you'd like to regenerate the admin.conf file, you can also use kubeadm:

$ kubeadm init phase kubeconfig admin \
  --cert-dir /etc/kubernetes/pki \
  --kubeconfig-dir /tmp/.