The worker node is failing to join the cluster or report as "Not Ready" as kubelet certificate is expired.
Article ID: 439464
Updated On:
Products
VMware Tanzu Kubernetes Grid Management
Issue/Introduction
- The target worker node exhibits a "NotReady" status when querying the cluster.
- The local kubelet service is failing to start.
kubelet.log
Apr 22 06:36:50 : E0422 06:36:50.124735 293510 bootstrap.go:266] part of the existing bootstrap client certificate in /etc/kubernetes/kubelet.conf is expired: 2026-02-10 06:47:54 +0000 UTC
Apr 22 06:36:50 : E0422 06:36:50.124765 293510 run.go:74] "command failed" err="failed to run Kubelet: unable to load bootstrap kubeconfig: stat /etc/kubernetes/bootstrap-kubelet.conf: no such file or directory"
Apr 22 06:36:50 kubelet.service: Main process exited, code=exited, status=1/FAILURE
Environment
TKGM 2.5.x
Cause
The existing /etc/kubernetes/kubelet.conf on the worker node is invalid, expired, or missing, preventing the kubelet from successfully authenticating with the Control Plane API server.
Resolution
- On a Control Plane node, generate a new configuration for the target worker node: kubeadm init phase kubeconfig
kubelet --node-name <target-worker-node-name> --kubeconfig-dir /tmp/ - Transfer the newly generated /tmp/kubelet.conf to the target worker node.
- On the worker node, backup the existing configuration and replace it with the new file:
cp /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.bakmv /tmp/kubelet.conf /etc/kubernetes/kubelet.conf - Reload the systemd daemon and restart the kubelet service:
systemctl daemon-reload systemctl restart kubelet - Verify the node has returned to a "Ready" state:
kubectl get nodes <target-worker-node-name>
Feedback
Yes
No
Powered by
