Unable to Start or Upgrade AKS Cluster (v1.22) Due to Expired Certificates

Question

We have an AKS cluster that was stopped and unused for an extended period (approximately 1–2 years). The cluster is running Kubernetes version 1.22, which is now deprecated. After recently attempting to start the cluster again, we are encountering errors indicating that the certificates have expired, and as a result:

• We cannot start the cluster, so:
  • We cannot access the Kubernetes API server (e.g., kubectl does not work),
  • We cannot rotate the certificates, since it is not started
  • We cannot upgrade the Kubernetes version via the Azure Portal or CLI because the cluster is unresponsive

we would need support to recover our AKS cluster.

Answer 1

Hi Mostafa Kianpour,

I understand your situation and Kubernetes 1.22 is deprecated and no longer supported by AKS. AFAIK, AKS cluster control plane certificates (like the kube-apiserver) expire after 1 year. Because AKS is a managed service, you do not have direct access to the control plane to fix certs manually.

AKS retired v1.22.x in December 2022 release. The recommendation is to upgrade your clusters.

See the release calendar and end of life for each version: https://learn.microsoft.com/en-us/azure/aks/supported-kubernetes-versions?tabs=azure-cli#aks-kubernetes-release-calendar

AKS follows 12 months of support for a GA Kubernetes version. To read more about our support policy for Kubernetes versioning, please read our FAQ. This FAQ covers everything related to AKS versions, unsupported or supported. Please go through this as these would help since you are on unsupported version (1.22).

When you upgrade a supported AKS cluster, Kubernetes minor versions can't be skipped. Skipping multiple versions can only be done when upgrading from an unsupported version back to a supported version, which is the case with you. For example, an upgrade from an unsupported 1.10.x -> a supported 1.15.x can be completed if available. When performing an upgrade from an unsupported version that skips two or more minor versions, the upgrade is performed without any guarantee of functionality and is excluded from the service-level agreements and limited warranty. If your version is significantly out of date, it's recommended to re-create the cluster.

Create a New AKS Cluster and Migrate

This is the safest and most realistic path.

Steps:

1. Create a new AKS cluster with the latest supported Kubernetes version (e.g., 1.27 or later).
2. Re-deploy your workloads: If you have GitOps / IaC (Terraform, ARM, Bicep) or Helm, this is straightforward. Otherwise, use backup manifests if available.
3. Restore persistent data (if any): If you used Azure Disks / Files, you might still be able to attach snapshots to the new cluster.
4. Switch DNS / traffic routing to the new cluster.
   https://learn.microsoft.com/en-us/answers/questions/1186329/cant-upgrade-azure-kubernetes-service-(aks)-from-v Karishma has also explained here: https://learn.microsoft.com/en-us/answers/questions/1186329/cant-upgrade-azure-kubernetes-service-(aks)-from-v

If you still need help, please tag me in the comments. Also, please provide me the details asked through private message!

If the information is helpful, please click accept answer and "upvote" to let us know.