Approved Kubernetes CSR, but certificate not shown in status

Question

So I've gone through the process of generating an RSA key, creating the YAML for a CSR, using kubectl to create a CSR in Minikube, approved the certificate.

However, when I try to download the certificate using kubectl get csr my-csr -o jsonpath='{.status.certificate}' I'm getting an empty result.

When I do a kubectl get csr my-csr -o yaml to get more information, this is what I see:

status:
  conditions:
  - lastUpdateTime: "2020-01-17T20:17:20Z"
    message: This CSR was approved by kubectl certificate approve.
    reason: KubectlApprove
    type: Approved

I'm expecting a certificate attribute with a base64 encoded string to which I will decode to obtain the certificate for client certificate validation. Can someone please tell me what I'm doing wrong?

For more context, I'm trying to follow the instructions in this tutorial

Ricky Wong · Answer 1 · 2020-02-07T06:22:50.090

4

I got similar problem. When I check with the following command:

kubectl get svc

It seems that the status of the csr is approved, but not issued. Any idea how to fix it?

[Updated] I found the problem. It is because the kube-controller-manager missed these options:

--cluster-signing-cert-file and --cluster-signing-key-file

edited Feb 07 '20 at 06:22

answered Feb 07 '20 at 05:30

Ricky Wong

91
3

score 2 · Answer 2 · edited Dec 06 '22 at 11:16

2

For my case, I had a typo error

WithTypo: signerName: kubernetes.io/kube-apisever-client

WithoutTypo: signerName: kubernetes.io/kube-apiserver-client

and have the same result. csr was approved and certificate was not issued. It was resolved after I corrected the typo error.

edited Dec 06 '22 at 11:16

TechDog

3,039
1
24
30

answered Dec 26 '20 at 00:54

Jack Liu Shurui

540
1
5
14

BMW · Answer 3 · 2020-01-18T04:27:13.100

Since CSR is not namespace specific, the command looks fine. I did the same to get the certificate, check you provide the proper csr name properly.

Secondly, if you didn't provide the name, and try to get all csr detail, you need change the key structure with additional .items[*]

kubectl get csr -o jsonpath='{.items[*].status.certificate}'

I have the feeling, you missed the csr name my-csr or the name is not really matched the search (typo?). Double check it.

score 1 · Answer 4 · answered Mar 21 '21 at 02:37

This error must come. From the docs

Permitted subjects - organizations are exactly ["system:nodes"], common name starts with "system:node:".

So the solution is to add subjects O=system:nodes and appending "system:node:" to your servicename in cert generation.

For ex. openssl req -new -key server.key -out server.csr -subj "/O=system:nodes/CN=system:node:colortokens-bgl.csp.svc" -config server.conf

score 1 · Answer 5 · answered Aug 24 '21 at 22:14

Verify your controller manager config, the Controller manager must be provided with --cluster-signing-cert-file and --cluster-signing-key-file config in-order to sigh the csr.

https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kube-controller-manager-configuration

ex:

apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
controllerManager:
  extraArgs:
    cluster-signing-cert-file: /etc/kubernetes/pki/ca.crt
    cluster-signing-key-file: /etc/kubernetes/pki/ca.key

Approved Kubernetes CSR, but certificate not shown in status

5 Answers5

Linked