Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 8. Responsive restarts and security certificates
MicroShift automatically restarts when system configuration changes are detected. These changes include IP address updates, clock adjustments, and security certificate expiration.
8.1. IP address changes or clock adjustments
MicroShift depends on device IP addresses and system-wide clock settings to remain consistent during its runtime. However, these settings might occasionally change on edge devices.
For example, DHCP or Network Time Protocol (NTP) updates can change times. When these changes occur, some MicroShift components might stop functioning properly. To mitigate this situation, MicroShift monitors the IP address and system time and restarts if either setting changes.
The threshold for a clock-driven restart is a time change of greater than 10 seconds in either direction. Small drifts during regular NTP service adjustments do not trigger a restart.
8.2. Security certificate lifetime
MicroShift certificates are digital certificates that secure communication with communication protocols such as HTTPS. They fall into two basic categories:
- Short-lived certificates
- Valid for one year. Most server or leaf certificates are short-lived.
- Long-lived certificates
-
Valid for 10 years. For example, the client certificate for
system:adminuser authentication, or thekube-apiserverexternal serving certificate signer.
MicroShift restarts automatically depending on certificate age.
8.3. Certificate rotation
Certificates that are expired or close to their expiration dates must be rotated to ensure continued MicroShift operation. Certificate rotation can occur automatically.
When MicroShift restarts for any reason, certificates that are close to expiring are rotated. A certificate that expires soon, or has already expired, can also cause an automatic MicroShift restart to perform a rotation.
If the rotated certificate is a MicroShift certificate authority (CA), all signed certificates are also rotated. If you created custom CAs, you must rotate them manually.
8.3.1. Short-term-certificate rotation
Short-term certificates that are expired or close to their expiration dates must be rotated to ensure continued MicroShift operation.
The following situations describe MicroShift actions during short-term-certificate lifetime:
- No rotation
- When a short-term certificate is up to 5 months old, no rotation occurs.
- Rotation at restart
- When a short-term certificate is 5 to 8 months old, it is rotated when MicroShift starts or restarts.
- Automatic restart for rotation
- When a short-term certificate is more than 8 months old, MicroShift can automatically restart to rotate and apply a new certificate.
8.3.2. Long-term-certificate rotation
Long-term certificates that are expired or close to their expiration dates must be rotated to ensure continued MicroShift operation.
The following situations describe MicroShift actions during long-term certificate lifetime:
- No rotation
- When a long-term certificate is up to 8.5 years old, no rotation occurs.
- Rotation at restart
- When a long-term certificate is 8.5 to 9 years old, it is rotated when MicroShift starts or restarts.
- Automatic restart for rotation
- When a long-term certificate is more than 9 years old, MicroShift might automatically restart so that it can rotate and apply a new certificate.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}