Regarding the Kubelet certificate renewal, the documentation says:

Note: kubelet.conf is not included in the list above because kubeadm configures kubelet for automatic certificate renewal.

I've just run through the kubeadm upgrade process (from 1.14.2 to 1.15.0) and I don't see that my kubelet certificate was rotated (it still shows the old date, which expires in under 1 month from now, rather than a year out.)

Some extra guidance in the documentation regarding how to get this certificate rotated when managing by kubeadm would be of great help.

Since kubeadm alpha certs check-expiration doesn't include the kubelet, I'm using the following command to review the expiration: echo -n | openssl s_client -connect localhost:10250 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout | grep Not