By default the certificates created by kubespray are only renewed during an upgrade and they are fixed to a one year duration so the cluster will stop working if it isn't kept on a current version. Ignoring the fact that upgrading is best practice there are some situations where it's not practical so kubespray has a auto_renew_certificates option that runs a scheduled task to upgrade the certificates.

Should this option should be configurable within kubitect?

Very good point. I have not thought of such situations. So I think it can not hurt to add a configurable option in the 'kubernetes.kubespray' section of the configuration.

I'll include this into the next release.