The apiserver is currently configured to talk to the kubelet with a client cert written to a revisioned path (e.g. /etc/kubernetes/static-pod-resources/kube-apiserver-11/secrets/kubelet-client/tls.{crt,key}). This means that any change in the client cert requires a new revision and a restart of the apiserver. It should be possible for the client cert to instead be written to the cert path and have the apiserver dynamically reload the cert. This would eliminated the need for restarting the apiserver when the client cert changed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759