Certificate Signing Request Approved but Certificate not issued

kjenney · January 1, 2021, 3:03pm

I’ve created a key, csr, and cert using this documentation: Certificate Signing Requests | Kubernetes.

My issue is that the csr was approved but a certificate was not issued:

Cluster information:

Kubernetes version: 1.19.2
Cloud being used: minikube
Installation method: minikube
Host OS: minikube on OSX

$ kubectl get certificatesigningrequests
NAME   AGE     SIGNERNAME                               REQUESTOR       CONDITION
ken    9m29s   kubernetes.io/kubelet-apiserver-client   minikube-user   Approved

According to the documentation the certificate should be at status.certificate but there is no such field. All I have for status is this:

status:
  conditions:
  - lastTransitionTime: "2021-01-01T14:47:42Z"
    lastUpdateTime: "2021-01-01T14:47:42Z"
    message: This CSR was approved by kubectl certificate approve.
    reason: KubectlApprove
    status: "True"
    type: Approved

I made sure to use ken for the CN, but I did not specify a group since the rolebinding is not cluster-wide.

eshenayo · July 19, 2021, 10:50pm

I ran into this same issue – did you ever figure out the root cause?

protosam · July 19, 2021, 11:19pm

Are you also on minikube?

eshenayo · July 20, 2021, 5:06am

Yes, I’m using minikube

protosam · July 20, 2021, 11:37pm

I tried this with Minikube on Mac with the Docker driver. Seems to work fine to me.

protosam · July 21, 2021, 2:11am

The only thing I found related was that the flags --cluster-signing-cert-file and --cluster-signing-key-file might be missing from the kube-controller-manager.

Check the flags like this perhaps:

$ kubectl -n kube-system get pods kube-controller-manager-minikube -o jsonpath='{.spec.containers[0].command}' | jq
[
  "kube-controller-manager",
  "--allocate-node-cidrs=true",
  "--authentication-kubeconfig=/etc/kubernetes/controller-manager.conf",
  "--authorization-kubeconfig=/etc/kubernetes/controller-manager.conf",
  "--bind-address=127.0.0.1",
  "--client-ca-file=/var/lib/minikube/certs/ca.crt",
  "--cluster-cidr=10.244.0.0/16",
  "--cluster-name=mk",
  "--cluster-signing-cert-file=/var/lib/minikube/certs/ca.crt",
  "--cluster-signing-key-file=/var/lib/minikube/certs/ca.key",
  "--controllers=*,bootstrapsigner,tokencleaner",
  "--kubeconfig=/etc/kubernetes/controller-manager.conf",
  "--leader-elect=false",
  "--port=0",
  "--requestheader-client-ca-file=/var/lib/minikube/certs/front-proxy-ca.crt",
  "--root-ca-file=/var/lib/minikube/certs/ca.crt",
  "--service-account-private-key-file=/var/lib/minikube/certs/sa.key",
  "--service-cluster-ip-range=10.96.0.0/12",
  "--use-service-account-credentials=true"
]

I would also consider checking the logs as well:

$ kubectl -n kube-system logs kube-controller-manager-minikube

david-nano · September 28, 2023, 11:46am

Same issue here. My flavor is RKE on prem, k8s 1.24.9
Anyone figure this out?

david-nano · November 1, 2023, 8:11am

In case it’ll help someone here in the future: Enable CSR signing on an RKE cluster so certificates are issued | Support | SUSE
in short, on the cluster.yml file, edit the section:

kube-controller: {}

and change it to:

kube-controller:
  extra_args:
    cluster-signing-cert-file: /etc/kubernetes/ssl/kube-ca.pem
    cluster-signing-key-file: /etc/kubernetes/ssl/kube-ca-key.pem

run rke up again, and it should work.

Topic		Replies	Views
The MASTER node cannot publish the CSR request after approving it General Discussions	1	486	August 25, 2022
Signing CSR with v1.CertificateSigningRequest General Discussions	1	2927	March 1, 2022
How to enable auto CSR approval for kubelet server certificates? General Discussions	1	7394	February 7, 2019
User authentication failing General Discussions	2	1758	January 2, 2021
Issue with Auto Approve Certificate signing request General Discussions	4	4391	April 19, 2020

Certificate Signing Request Approved but Certificate not issued

Cluster information:

Related Topics