diff --git a/content/runbooks/kubernetes/KubeletServerCertificateExpiration.md b/content/runbooks/kubernetes/KubeletServerCertificateExpiration.md
index dfde43c..e546b84 100644
--- a/content/runbooks/kubernetes/KubeletServerCertificateExpiration.md
+++ b/content/runbooks/kubernetes/KubeletServerCertificateExpiration.md
@@ -17,11 +17,9 @@ Server certificate for Kubelet on node expires soon or already expired.
 
 Check when certificate was issued and when it expires.
 
-## Mitigation
-
-Update certificates in the cluster control nodes and the worker nodes.
-Refer to the documentation of the tool used to create cluster.
+Check the pending csr with `kubectl get csr`
 
-Another option is to delete node if it affects only one,
+## Mitigation
+If there's any csr regarding to the node, verify the csr manually, approve the csr with command `kubectl certificate approve <csr-id>`
 
-In extreme situations recreate cluster.
+Please notice that server certificate is not automatically approved for security reason, see [document](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#certificate-rotation) for detail.