Enabling Network Time Security (NTS) NTP time synchronization in OpenShift 4 with chrony

Solution Unverified - Updated 23 Feb 2026

Environment

OpenShift Container Platform 4

Issue

How to configure Secure NTP, also called Network Time Security (NTS) in OpenShift 4.

Resolution

The official documentation describes how to create a custom MachineConfig to modify the chrony.conf config file, which configures chrony NTP daemon: Configuring chrony time service

To enable NTS the content of chrony.conf need to be changed in the MachineConfig, e.g for a worker node:

variant: openshift
version: 4.13.0
metadata:
  name: 99-worker-chrony 
  labels:
    machineconfiguration.openshift.io/role: worker 
storage:
  files:
  - path: /etc/chrony.conf
    mode: 0644 
    overwrite: true
    contents:
      inline: |
        server time.example.com iburst nts # Added 'nts' to the line
        driftfile /var/lib/chrony/drift
        makestep 1.0 3
        rtcsync
        logdir /var/log/chrony
        ntsdumpdir /var/lib/chrony # Added

You can change the metadata.name and the metadata.labels to match other node types like control-plane or infra nodes. And, if a custom certificate on the NTS NTP/Chronyd server is used, the CA and certificate chain of it need to be added to the trusted bundle of the cluster following How to add an additional CA certificate to the trustedCA of the OpenShift Container Platform proxy in OpenShift Container Platform 4.x?

Here the reference configuration of chrony in the RHEL official documentation:

For RHEL9 (4.13+) based RHCOS versions check the RHEl9 chrony nts docs version

For RHEL8 (4.12) based RHCOS versions check the RHEl8 chrony nts docs version

To confirm the RHEL version used as base for the OCP/RHCOS version you can check RHEL Versions Utilized by RHEL CoreOS and OCP

Root Cause

Requirement of a implementation of a secure time sync source for your cluster that use NTS as protocol for it.

Diagnostic Steps

Verify if the NTS keys were successfully established:

$ oc debug node/<node>
[...]
sh-4.4# chroot /host bash

[root@<node> ~]# chronyc -N authdata

Name/IP address  Mode KeyID Type KLen Last Atmp  NAK Cook CLen
================================================================
time.example.com  NTS     1   15  256  33m    0    0    8  100

SBR

Shift

Product(s)

Red Hat OpenShift Container Platform

Components

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.