0

I encounter the same issue here: Approved Kubernetes CSR, but certificate not shown in status

No certificate was issued in .status.certificate though the status is "Approved". This issue only occurs when I use certificates.k8s.io/v1 but certificate is issued when I use certificates.k8s.io/v1beta1. I have already followed adding /O=system:nodes/CN=system:node:mypod.svc but still no certificate is issued. Here is the sample of my CSR.

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: mypod.default
spec:
  groups:
  - system:authenticated
  - system:nodes
  request: $(cat server.csr | base64 | tr -d '\n')
  signerName: kubernetes.io/kubelet-serving
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF
Yejin
  • 541
  • 2
  • 15
  • 32
  • what is your k8s version? `$ kubectl version --short`? – Kamol Hasan Feb 28 '22 at 09:49
  • Hi @KamolHasan this is my k8 version. Client Version: v1.21.0 Server Version: v1.21.5-eks-bc4871b – Yejin Mar 01 '22 at 01:38
  • Did you try other possible solutions from the link you sent? – RadekW Mar 01 '22 at 14:07
  • Yes I tried changing the CN of my certificate for both kubelet/serving or kube-api-client. The flag for certificate signing is something I haven't checked in aws console. But I am bit skeptical if that was the cause, because I am getting certificate when I use v1beta1, issue only occurs using v1. I have filed a ticket in AWS for further help assistance as of the moment. – Yejin Mar 02 '22 at 09:49
  • It seems probably to be specific issue for EKS as you can see on these issues on [GitLab](https://gitlab.com/ongresinc/stackgres/-/issues/1358) and [GitHub](https://github.com/aws/containers-roadmap/issues/1604). I replicated it on GKE `v1.21.6-gke.1503` and EKS `v1.21.5-eks-bc4871b`. On GKE this issue doesn't exist. CRS is `Approved,Issued` and on EKS only `Approved` – RadekW Mar 03 '22 at 12:08

0 Answers0