I’ve created a key, csr, and cert using this documentation: Certificate Signing Requests | Kubernetes.
My issue is that the csr was approved but a certificate was not issued:
Cluster information:
Kubernetes version: 1.19.2
Cloud being used: minikube
Installation method: minikube
Host OS: minikube on OSX
$ kubectl get certificatesigningrequests
NAME AGE SIGNERNAME REQUESTOR CONDITION
ken 9m29s kubernetes.io/kubelet-apiserver-client minikube-user Approved
According to the documentation the certificate should be at status.certificate
but there is no such field. All I have for status is this:
status:
conditions:
- lastTransitionTime: "2021-01-01T14:47:42Z"
lastUpdateTime: "2021-01-01T14:47:42Z"
message: This CSR was approved by kubectl certificate approve.
reason: KubectlApprove
status: "True"
type: Approved
I made sure to use ken for the CN, but I did not specify a group since the rolebinding is not cluster-wide.
2 Likes
I ran into this same issue – did you ever figure out the root cause?
Are you also on minikube?
I tried this with Minikube on Mac with the Docker driver. Seems to work fine to me.
The only thing I found related was that the flags --cluster-signing-cert-file
and --cluster-signing-key-file
might be missing from the kube-controller-manager
.
Check the flags like this perhaps:
$ kubectl -n kube-system get pods kube-controller-manager-minikube -o jsonpath='{.spec.containers[0].command}' | jq
[
"kube-controller-manager",
"--allocate-node-cidrs=true",
"--authentication-kubeconfig=/etc/kubernetes/controller-manager.conf",
"--authorization-kubeconfig=/etc/kubernetes/controller-manager.conf",
"--bind-address=127.0.0.1",
"--client-ca-file=/var/lib/minikube/certs/ca.crt",
"--cluster-cidr=10.244.0.0/16",
"--cluster-name=mk",
"--cluster-signing-cert-file=/var/lib/minikube/certs/ca.crt",
"--cluster-signing-key-file=/var/lib/minikube/certs/ca.key",
"--controllers=*,bootstrapsigner,tokencleaner",
"--kubeconfig=/etc/kubernetes/controller-manager.conf",
"--leader-elect=false",
"--port=0",
"--requestheader-client-ca-file=/var/lib/minikube/certs/front-proxy-ca.crt",
"--root-ca-file=/var/lib/minikube/certs/ca.crt",
"--service-account-private-key-file=/var/lib/minikube/certs/sa.key",
"--service-cluster-ip-range=10.96.0.0/12",
"--use-service-account-credentials=true"
]
I would also consider checking the logs as well:
$ kubectl -n kube-system logs kube-controller-manager-minikube
1 Like
Same issue here. My flavor is RKE on prem, k8s 1.24.9
Anyone figure this out?
In case it’ll help someone here in the future: Enable CSR signing on an RKE cluster so certificates are issued | Support | SUSE
in short, on the cluster.yml
file, edit the section:
kube-controller: {}
and change it to:
kube-controller:
extra_args:
cluster-signing-cert-file: /etc/kubernetes/ssl/kube-ca.pem
cluster-signing-key-file: /etc/kubernetes/ssl/kube-ca-key.pem
run rke up
again, and it should work.