From 1a8572089e98b445eac4b01edf326f69317c81e1 Mon Sep 17 00:00:00 2001
From: Leo Q <LeoQuote@users.noreply.github.com>
Date: Tue, 13 Feb 2024 23:36:30 +0800
Subject: [PATCH] Add detailed instruction for
 KubeletServerCertificateExpiration

And the reference document uri
---
 .../kubernetes/KubeletServerCertificateExpiration.md   | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/content/runbooks/kubernetes/KubeletServerCertificateExpiration.md b/content/runbooks/kubernetes/KubeletServerCertificateExpiration.md
index dfde43c..e546b84 100644
--- a/content/runbooks/kubernetes/KubeletServerCertificateExpiration.md
+++ b/content/runbooks/kubernetes/KubeletServerCertificateExpiration.md
@@ -17,11 +17,9 @@ Server certificate for Kubelet on node expires soon or already expired.
 
 Check when certificate was issued and when it expires.
 
-## Mitigation
-
-Update certificates in the cluster control nodes and the worker nodes.
-Refer to the documentation of the tool used to create cluster.
+Check the pending csr with `kubectl get csr`
 
-Another option is to delete node if it affects only one,
+## Mitigation
+If there's any csr regarding to the node, verify the csr manually, approve the csr with command `kubectl certificate approve <csr-id>`
 
-In extreme situations recreate cluster.
+Please notice that server certificate is not automatically approved for security reason, see [document](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#certificate-rotation) for detail.