Prometheus false positive alerts


Below is KubeClientCertificateExpiration prometheus alert.

:fire: [FIRING:1] KubeClientCertificateExpiration

Cluster: production-uks-aks

Description: A client certificate used to authenticate to kubernetes apiserver is expiring in less than 24.0 hours.Details:

• endpoint: https

• instance: <server-ip>

• job: apiserver

• namespace: default

• prometheus: service/prometheus-prometheus

• service: kubernetes

• severity: critical```

Looking for clarification on below items.

1. When KubeClientCertificateExpiration alert will trigger.

2. In alert "Description" mentions `client certificate`, could you please confirm which client certificate this is referring to (i.e., is client certificate referring to certificates which are installed locally and used to access Kubernetes cluster. If so why/how prometheus is tracing such client certificates).

Could any one share reference documentation related KubeClientCertificateExpiration. Found one docs related to same here:, But excepting more information. Awaits your response.

Karthik Thatipati