Kubernetes API-server certificate expired client

Good afternoon.

Kubernetes api-server has the metrics apiserver_client_certificate_expiration_seconds_bucket: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go#L34-L66.

Which tells you that there are clients in the kubernetes cluster that are accessing the api-server with a certificate. Based on this metric, there are a few alerts on the Internet:
https://github.com/coreos/prometheus-operator/issues/1843.
https://medium.com/@DazWilkin/kubernetes-metrics-ba69d439fac4

However, it is impossible to understand from this metric who accesses the api-server with the certificate, which will soon end. And the only way to find such clients is to wait for the certificate to expire and to find clients who receive 403 response code by api-server logos with high verbose.

Is there any way to find these clients before their certificate expires? Usually these are kubectl or kubelet configs and sometimes you have to guess where you forgot to update your client certificate. Is there a metric for that?

Cluster information:

Kubernetes version: 1.16.6
Cloud being used: bare-metal
Installation method: kubeadm
Host OS: ubuntu 18.04
CNI and version: Flannel 0.11.0
CRI and version: docker://18.9.7

2 Likes