Hello, I trying to solve Ques-6 from Lab2 but getting my certificate status as f . . .

Ashwani Kumar:
Hello, I trying to solve Ques-6 from Lab2 but getting my certificate status as failed for this questions, I am running below command - Any suggestion -

controlplane $ cat <<EOF | kubectl apply -f -
&gt; apiVersion: <http://certificates.k8s.io/v1|certificates.k8s.io/v1>
&gt; kind: CertificateSigningRequest
&gt; metadata:
&gt;   name: john-developer
&gt; spec:
&gt;   request: $(cat /root/CKA/john.csr | base64 | tr -d '\n')
&gt;   signerName: <http://kubernetes.io/kubelet-serving|kubernetes.io/kubelet-serving>
&gt;   usages:
&gt;   - digital signature
&gt;   - key encipherment
&gt;   - server auth
&gt; EOF
<http://certificatesigningrequest.certificates.k8s.io/john-developer|certificatesigningrequest.certificates.k8s.io/john-developer> created
controlplane $ k get csr 
NAME             AGE   SIGNERNAME                                    REQUESTOR                  CONDITION
csr-8gnvv        50m   <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet>   system:node:controlplane   Approved,Issued
csr-tpk7s        50m   <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet>   system:bootstrap:96771a    Approved,Issued
john-developer   17s   <http://kubernetes.io/kubelet-serving|kubernetes.io/kubelet-serving>                 kubernetes-admin           Pending
controlplane $ k certificate approve john-developer
<http://certificatesigningrequest.certificates.k8s.io/john-developer|certificatesigningrequest.certificates.k8s.io/john-developer> approved
controlplane $ k get csr
NAME             AGE   SIGNERNAME                                    REQUESTOR                  CONDITION
csr-8gnvv        52m   <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet>   system:node:controlplane   Approved,Issued
csr-tpk7s        51m   <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet>   system:bootstrap:96771a    Approved,Issued
john-developer   80s   <http://kubernetes.io/kubelet-serving|kubernetes.io/kubelet-serving>                 kubernetes-admin           Approved,Failed
controlplane $ kubectl describe csr john-developer
Name:         john-developer
Labels:       &lt;none&gt;
Annotations:  <http://kubectl.kubernetes.io/last-applied-configuration={%22apiVersion%22:%22certificates.k8s.io/v1%22,%22kind%22:%22CertificateSigningRequest%22,%22metadata%22:{%22annotations%22:{},%22name%22:%22john-developer%22},%22spec%22:{%22request%22:%22LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZEQ0NBVHdDQVFBd0R6RU5NQXNHQTFVRUF3d0VhbTlvYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRApnZ0VQQURDQ0FRb0NnZ0VCQU1NTm5JcjRUNUdYVFkwWktrNDh0VjU2U2ptRlQvL3NSUWtCb0p0bnA1UEliY090ClVYUXBsd1FSWWZraXBHVHA1aGdJUGFMeDBteGF2bFpFQlo5MEQzSXpqM1dmSDZTb0FHcFBRaTZTOFdsMDhFZXIKZXJXOTVwRkNMQXFXakVnZHpOaHpjM2lDZ0V1ZWF5N2ZBdmF1TlBmTkxDVGdwUUIrNFhmK0pmS2lxT1dCOFFHKwo2ZFFOL1NFdWRJVGRoRUl1RzhHNUlnS0Z3eFNFeFJ2azdDQytwNUxqdW5iKzZmWmkrZTM1TDZYdHhaT0QzcnR5ClVqNXZIZXZhSGlZYUJ1UHpZRFZxbDJ5WEZuNm9makFENGxpbGtaV2xBbXVpcTNqcWNPT1k2OXBTZmlmeXYzNDQKeWdRUzBXVE42NmJBaHdkd2YrV2d5ZE96ZW5MSGxMbHRnZVQvS21NQ0F3RUFBYUFBTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQXJodzlCSEIySEtaV3EwRXI4TlFlaFRaZzhLNHU2VDVlaUhLdEtrNkdLYldvcmQzdTBBdXRvClBkbXZVSk5FR2laVDJjcnM4UkdtWDRjS1poeHlQR05RSDdISi9PSHlsM0FFS2lpTWhCaHozdWN5Njh4dWdkUDcKTW1CSkx1Q0wrL2JhVUVIZFRxWkUxSnREV0hTTExpUXNDQXAvOUZYSWFQQXhoMnBFemhYRG56Sk5MbDNTVFZjNgo4TDc2dUNiQ2xjMlNodzJMRW40emlOdWZTWVBldnJjU1JPK2RzTlVNWUFSeWsvcjZ1K2szTDFTQ0MxRnA3U0llClRXOThDVGh4dVBGaXk0RlBLbmd6MEF0bXV2c0FoaGd3ZzN5ZEcrb2huUUlUdjJnWDlKRXFzN3lycHBwM1VadHAKU2Q2YUtnd09GRkQ3VmhheFl5enRrVlk2TTVCK0dhbm0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==%22,%22signerName%22:%22kubernetes.io/kubelet-serving%22,%22usages%22:[%22digital|kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certificates.k8s.io/v1","kind":"CertificateSigningRequest","metadata":{"annotations":{},"name":"john-developer"},"spec":{"request":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZEQ0NBVHdDQVFBd0R6RU5NQXNHQTFVRUF3d0VhbTlvYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRApnZ0VQQURDQ0FRb0NnZ0VCQU1NTm5JcjRUNUdYVFkwWktrNDh0VjU2U2ptRlQvL3NSUWtCb0p0bnA1UEliY090ClVYUXBsd1FSWWZraXBHVHA1aGdJUGFMeDBteGF2bFpFQlo5MEQzSXpqM1dmSDZTb0FHcFBRaTZTOFdsMDhFZXIKZXJXOTVwRkNMQXFXakVnZHpOaHpjM2lDZ0V1ZWF5N2ZBdmF1TlBmTkxDVGdwUUIrNFhmK0pmS2lxT1dCOFFHKwo2ZFFOL1NFdWRJVGRoRUl1RzhHNUlnS0Z3eFNFeFJ2azdDQytwNUxqdW5iKzZmWmkrZTM1TDZYdHhaT0QzcnR5ClVqNXZIZXZhSGlZYUJ1UHpZRFZxbDJ5WEZuNm9makFENGxpbGtaV2xBbXVpcTNqcWNPT1k2OXBTZmlmeXYzNDQKeWdRUzBXVE42NmJBaHdkd2YrV2d5ZE96ZW5MSGxMbHRnZVQvS21NQ0F3RUFBYUFBTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQXJodzlCSEIySEtaV3EwRXI4TlFlaFRaZzhLNHU2VDVlaUhLdEtrNkdLYldvcmQzdTBBdXRvClBkbXZVSk5FR2laVDJjcnM4UkdtWDRjS1poeHlQR05RSDdISi9PSHlsM0FFS2lpTWhCaHozdWN5Njh4dWdkUDcKTW1CSkx1Q0wrL2JhVUVIZFRxWkUxSnREV0hTTExpUXNDQXAvOUZYSWFQQXhoMnBFemhYRG56Sk5MbDNTVFZjNgo4TDc2dUNiQ2xjMlNodzJMRW40emlOdWZTWVBldnJjU1JPK2RzTlVNWUFSeWsvcjZ1K2szTDFTQ0MxRnA3U0llClRXOThDVGh4dVBGaXk0RlBLbmd6MEF0bXV2c0FoaGd3ZzN5ZEcrb2huUUlUdjJnWDlKRXFzN3lycHBwM1VadHAKU2Q2YUtnd09GRkQ3VmhheFl5enRrVlk2TTVCK0dhbm0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==","signerName":"kubernetes.io/kubelet-serving","usages":["digital> signature","key encipherment","server auth"]}}

CreationTimestamp:  Thu, 11 Mar 2021 13:10:54 +0000
Requesting User:    kubernetes-admin
Signer:             <http://kubernetes.io/kubelet-serving|kubernetes.io/kubelet-serving>
Status:             Approved,Failed
Subject:
         Common Name:    john
         Serial Number:  
Events:  &lt;none&gt;
controlplane $ 

Tej_Singh_Rana:
Please check the sample format from here:
https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#create-certificatesigningrequest

Mohamed Ayman:
Always follow the official documentation using the above link.

Mohamed Ayman:
Because usages is

usages:
  - client auth

Not

"usages":["digital signature","key encipherment","server auth"]

Mohamed Ayman:
Check this:

cat &lt;&lt;EOF | kubectl apply -f -
apiVersion: <http://certificates.k8s.io/v1|certificates.k8s.io/v1>
kind: CertificateSigningRequest
metadata:
  name: john-developer
spec:
  groups:
  - system:authenticated
  request: $(cat john.csr | base64 | tr -d "\n")
  signerName: <http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client>
  usages:
  - client auth
EOF

Mohamed Ayman:
Then approve It:

kubectl certificate approve john-developer
kubectl get csr

mark:
@Ashwani Kumar You and I are having the same exact problem at the same exact minute. Thank you @Tej_Singh_Rana and @Mohamed Ayman! That is the correct link to the correct documentation and that worked for me.

Ashwani Kumar:
Thank you @Tej_Singh_Rana @Mohamed Ayman for the suggestion, by referring doc I was able to resolve this.