Andrei Zimin:
Hi All, I’m doing CKA course 149. Practice Test - Certificates API. When I approve akshay’s certificate, the status turns from Pending to Approved, Failed. Any idea what I’m doing wrong here?
controlplane $ kubectl create -f akshay-csr.yaml
Warning: <http://certificates.k8s.io/v1beta1|certificates.k8s.io/v1beta1> CertificateSigningRequest is deprecated in v1.19+, unavailable in v1.22+; use <http://certificates.k8s.io/v1|certificates.k8s.io/v1> CertificateSigningRequest
<http://certificatesigningrequest.certificates.k8s.io/akshay|certificatesigningrequest.certificates.k8s.io/akshay> created
controlplane $ kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
akshay 6m1s <http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client> kubernetes-admin Pending
csr-2km9d 64m <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet> system:bootstrap:96771a Approved,Issued
csr-fm47l 64m <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet> system:node:controlplane Approved,Issued
controlplane $ kubectl certificate approve akshay
<http://certificatesigningrequest.certificates.k8s.io/akshay|certificatesigningrequest.certificates.k8s.io/akshay> approved
controlplane $ kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
akshay 7m11s <http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client> kubernetes-admin Approved,Failed
csr-2km9d 65m <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet> system:bootstrap:96771a Approved,Issued
csr-fm47l 65m <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet> system:node:controlplane Approved,Issued
Andrei Zimin:
I used the yaml file from the answers:
apiVersion: <http://certificates.k8s.io/v1beta1|certificates.k8s.io/v1beta1>
kind: CertificateSigningRequest
metadata:
name: akshay
spec:
signerName: <http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client>
groups:
- system:authenticated
request: LS0...QT
usages:
- digital signature
- key encipherment
- server auth
Mohamed Ayman:
This is not a wrong answer since the question does not required that the certificate should not be failed
And in the next question, you are required to count the number of approved and failed certificates
Praveen Viswanath:
try like below
apiVersion: http://certificates.k8s.io/v1|certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: akshay
spec:
groups:
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZVzVuWld4aE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQTByczhJTHRHdTYxakx2dHhWTTJSVlRWMDNHWlJTWWw0dWluVWo4RElaWjBOCnR2MUZtRVFSd3VoaUZsOFEzcWl0Qm0wMUFSMkNJVXBGd2ZzSjZ4MXF3ckJzVkhZbGlBNVhwRVpZM3ExcGswSDQKM3Z3aGJlK1o2MVNrVHF5SVBYUUwrTWM5T1Nsbm0xb0R2N0NtSkZNMUlMRVI3QTVGZnZKOEdFRjJ6dHBoaUlFMwpub1dtdHNZb3JuT2wzc2lHQ2ZGZzR4Zmd4eW8ybmlneFNVekl1bXNnVm9PM2ttT0x1RVF6cXpkakJ3TFJXbWlECklmMXBMWnoyalVnald4UkhCM1gyWnVVV1d1T09PZnpXM01LaE8ybHEvZi9DdS8wYk83c0x0MCt3U2ZMSU91TFcKcW90blZtRmxMMytqTy82WDNDKzBERHk5aUtwbXJjVDBnWGZLemE1dHJRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBR05WdmVIOGR4ZzNvK21VeVRkbmFjVmQ1N24zSkExdnZEU1JWREkyQTZ1eXN3ZFp1L1BVCkkwZXpZWFV0RVNnSk1IRmQycVVNMjNuNVJsSXJ3R0xuUXFISUh5VStWWHhsdnZsRnpNOVpEWllSTmU3QlJvYXgKQVlEdUI5STZXT3FYbkFvczFqRmxNUG5NbFpqdU5kSGxpT1BjTU1oNndLaTZzZFhpVStHYTJ2RUVLY01jSVUyRgpvU2djUWdMYTk0aEpacGk3ZnNMdm1OQUxoT045UHdNMGM1dVJVejV4T0dGMUtCbWRSeEgvbUNOS2JKYjFRQm1HCkkwYitEUEdaTktXTU0xMzhIQXdoV0tkNjVoVHdYOWl4V3ZHMkh4TG1WQzg0L1BHT0tWQW9FNkpsYWFHdTlQVmkKdjlOSjVaZlZrcXdCd0hKbzZXdk9xVlA3SVFjZmg3d0drWm89Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
signerName: http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client
usages:
- client auth
Save as cer.yaml
k apply -f cer.yaml
You can refer to this link to section Create CertificateSigningReques
then in the next question you can approver the certificate
Andrei Zimin:
Thank you, @Praveen Viswanath . Now it shows as “Issued”.