Remove rotate_tokens logic

kubeadm never rotates sa.key/sa.pub, so there is no need to delete tokens/restart pods Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
2025-12-14 13:54:37 +03:00 · 2021-03-03 17:16:23 -05:00
parent 280036fad6
commit 8800b5c01d
7 changed files with 0 additions and 109 deletions
--- a/docs/upgrades.md
+++ b/docs/upgrades.md
@@ -289,20 +289,6 @@ follows:
 * kube-apiserver, kube-scheduler, and kube-controller-manager
 * Add-ons (such as KubeDNS)

-## Upgrade considerations
-
-Kubespray supports rotating certificates used for etcd and Kubernetes
-components, but some manual steps may be required. If you have a pod that
-requires use of a service token and is deployed in a namespace other than
-`kube-system`, you will need to manually delete the affected pods after
-rotating certificates. This is because all service account tokens are dependent
-on the apiserver token that is used to generate them. When the certificate
-rotates, all service account tokens must be rotated as well. During the
-kubernetes-apps/rotate_tokens role, only pods in kube-system are destroyed and
-recreated. All other invalidated service account tokens are cleaned up
-automatically, but other pods are not deleted out of an abundance of caution
-for impact to user deployed pods.
-
 ### Component-based upgrades

 A deployer may want to upgrade specific components in order to minimize risk