Signing CSR with v1.CertificateSigningRequest

Asking for help? Comment out what you need so we can get more information to help you!

Cluster information:

Kubernetes version: 1.20
Cloud being used: (put bare-metal if not on a public cloud)
Installation method:
Host OS:
CNI and version:
CRI and version:

I am trying to generate Kubernetes CSR for MutatingWebhookConfiguration. During the registration process, I get this error in csr status subject organization is not system:nodes. This is my CSR

cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: ${csrName}
spec:
  groups:
  - system:authenticated
  request: $(< "${tmpdir}"/server.csr base64 | tr -d '\n')
  signerName: kubernetes.io/kubelet-serving
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

This is my open ssl config

cat <<EOF >> "${tmpdir}"/csr.conf
[dn]
O="system:nodes"

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${service}
DNS.2 = ${service}.${namespace}
DNS.3 = ${service}.${namespace}.svc
EOF

openssl genrsa -out "${tmpdir}"/server-key.pem 2048
openssl req -new -key "${tmpdir}"/server-key.pem -subj "/CN=system:node:${service}.${namespace}.svc" -out "${tmpdir}"/server.csr -config "${tmpdir}"/csr.conf

I do encounter the same issue. I only face the issue using certificates.k8s.io/v1 but if the CSR is CSR is created using certificates.k8s.io/v1beta1, I do get the certificates.

Just wondering if you were able to find the solution? I am using aws eks 1.21.5 version