LinkerdKubernetes

Clock Skew Breaking TLS Certificate Validation

critical
securityUpdated Feb 23, 2026

Time differences exceeding 5 minutes between control plane and cluster nodes cause TLS validation failures, as nodes may incorrectly determine certificates are expired or not yet valid.

Sources
Troubleshootingdevelopers.openai.com
Technologies:
LinkerdSymptoms of this issue are visible in Linkerd metrics and logs
KubernetesThe root cause of this issue originates in Kubernetes
How to detect:

Run 'linkerd check --pre' and watch for clock skew warnings. Linkerd versions edge-20.3.4+ check for max 5-minute difference; older versions check for 1 minute. False positives occur if node heartbeat interval exceeds threshold.

Recommended action:

Synchronize system clocks across Kubernetes nodes using NTP. Upgrade to Linkerd edge-20.3.4+ if running Kubernetes 1.17+ to avoid false positives from increased node heartbeat intervals. Verify system clock consistency before ignoring errors.