Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable terminated-pod-gc-threshold.
kubernetesMasterConfig: controllerArguments: terminated-pod-gc-threshold: - true
Enabling the “terminated-pod-gc-threshold” settings is optional.
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set use-service-account-credentials to true under controllerArguments section.
kubernetesMasterConfig: controllerArguments: use-service-account-credentials: - true
Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove service-account-private-key-file
Reset to OpenShift defaults OpenShift starts kube-controller-manager with root-ca-file=/etc/origin/master/ca-bundle.crt by default. OpenShift Advanced Installation creates this certificate authority and configuration without any configuration required.
https://docs.openshift.com/container-platform/3.10/admin_guide/service_accounts.html"
If you decide not to enable the RotateKubeletServerCertificate feature, be sure to use the Ansible playbooks provided with the OpenShift installer to automate re-deploying certificates.