Rotate cluster certificates automatically
If I understand the rke release notes correctly, rke sets up the Kubernetes cluster with certificates that expire after one year. There is an rke command to rotate certificates, so perhaps we'd have to run that automatically from time to time. I'm not sure if that revokes access via the generated certificates via kubectl though; if so, that would mean that cert rotation would cut off kubectl access by the cluster administrator. This needs some investigation.