CKA mock Exam 2 - Question 6 using openssl x509 instead of yaml definition

Hello, i signed John CSR using openssl x509 and i created the role and rolebinding, but it failed

should i use yaml file to signed the csr or the way i did it is accepted?

Thanks

Hello, @hamdymoussa1
I think you should be create CSR file.

I am also confused/missing something here. After following along with the creation of the CSR in the Mock Exam 2 solution video (which is missing the signerName key). The instructor receives Approved, Issued after approving the CSR. However, in my Mock Exam, I am seeing only Approved. I am able to perform the roles, rolebinding, and can-i commands without issue. When inspecting the Error Details, I am confident the issue is the lack of Issued in the following output:

kubectl describe csr john-developer | grep Status| grep Approved,Issued",“err_message”:“Command ‘kubectl describe csr john-developer | grep Status| grep Approved,Issued’ returned non-zero exit status 1.”

controlplane $ kubectl describe csr john-developer
Name: john-developer
Labels:
Annotations:
CreationTimestamp: Wed, 28 Oct 2020 14:50:53 +0000
Requesting User: kubernetes-admin
Signer: kubernetes.io/john
Status: Approved
Subject:
Common Name: john
Serial Number:
Events:

Any feedback would be appreciated.

Hello, @kcnud
Can you please share your csr yaml file ? Recently In v1.19, they have made a few changes in CSR…

Hey @player001

I figured it out; I was messing up the signerName. The following CSR works appropriately, is issued, and scores as success.

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: john-developer
spec:
groups:

  • system:authenticated
    request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZEQ0NBVHdDQVFBd0R6RU5NQXNHQTFVRUF3d0VhbTlvYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRApnZ0VQQURDQ0FRb0NnZ0VCQUxUWk9nUEdpWnJGcmRPaHlodTJkcHBxamUxWW9lTDlRNStNNURvbXEvcUxxdE94CjE0b2doT3U4ZW5WaVQ3T0tBOXlhVGY5bHVodTBPWVR1anJwRFJyMjVpUTZUY25tNlJybGxQYkdzb0R4SnVGUksKSnJoNHZaMUhQdjcxeFhtNWtVdEcrcVVuVHpsbHVVcEJkYVpkR0pxbGpjRFJHNUJKejlta2g0U3FadzZBclRmego1WElZenlhTW8xaGZJL044WC8ya3U5V1VGSFRBUnNFQjJZTzhhWG5KNGhqRDVVWU16T1Y5Z1FYVk9DYVZjRmNOCkY5OFhkTWpLUzBSaGt2M3pKajl1UEJhcXA5ZTF5ZXJNRTlCK3J2SUVKS2NSbDk3ZG4wdmlLZzlOVWhhbWREc2IKMURCNUxxNmhQeXZKREFkV1NzcDN2UFY2a1lYUWZnVHBSM2l6WjVVQ0F3RUFBYUFBTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQUhqd0NFa29WY1J0a29QMzFzc0NlUStEZng2SHI5SlVpNDJwUkQ1YnJPUUNwZ3BscVB3YjIzCmFhRU55ak5QcWMwTlloNXR6TE9oOU1NbUtEOTh6OU5zVGxucWlQZGw5OUZabzZ4WHl6ZGFqZlM2VzZRNGxvREgKZEIxenkyL3ZPUlZSL3RCYndXaGtiQnVRQkJKUVdKTFBVTHk2VkcrNkIyMFFGLzlNb2ovR3Y3TDNlUjJuVXJQRgptQUJuaGhIOWRVZm1OUGd6dThTZmMxODd3OVpGOTA0c05nMlFQUlZpeU1TQjZCMzByQis5S3BXOXUvcHZuOHZKCmhnUnhKMHlIeHlkR0d4ZTNvZDJoQThyZXUwWFRWYmFacmQ4UW5menIvTldqNkVMYkNjdFVnS0Jwck9HVTBCbHAKQUpadlluUVlxUmxkVlVUSWhSL3hGUFFmbU05SlJDaU8KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
    signerName: kubernetes.io/kube-apiserver-client
    usages:
  • client auth