When kubernetes clusters are built using kubeadm, there is a 5 year ticking time bomb on the self signed CA for the cluster. The more well known 1 year on the api certificates is easily repairable if missed. The 5 year CA is hard to rotate preemptively and disgustingly hard to rotate if you forget.