Hi All, I'm doing CKA course 149. Practice Test - Certificates API. When I appro . . .

Kubernetes
#1

Andrei Zimin:
Hi All, I’m doing CKA course 149. Practice Test - Certificates API. When I approve akshay’s certificate, the status turns from Pending to Approved, Failed. Any idea what I’m doing wrong here?

controlplane $ kubectl create -f akshay-csr.yaml
Warning: <http://certificates.k8s.io/v1beta1|certificates.k8s.io/v1beta1> CertificateSigningRequest is deprecated in v1.19+, unavailable in v1.22+; use <http://certificates.k8s.io/v1|certificates.k8s.io/v1> CertificateSigningRequest
<http://certificatesigningrequest.certificates.k8s.io/akshay|certificatesigningrequest.certificates.k8s.io/akshay> created
controlplane $ kubectl get csr
NAME        AGE    SIGNERNAME                                    REQUESTOR                  CONDITION
akshay      6m1s   <http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client>           kubernetes-admin           Pending
csr-2km9d   64m    <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet>   system:bootstrap:96771a    Approved,Issued
csr-fm47l   64m    <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet>   system:node:controlplane   Approved,Issued
controlplane $ kubectl certificate approve akshay
<http://certificatesigningrequest.certificates.k8s.io/akshay|certificatesigningrequest.certificates.k8s.io/akshay> approved
controlplane $ kubectl get csr
NAME        AGE     SIGNERNAME                                    REQUESTOR                  CONDITION
akshay      7m11s   <http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client>           kubernetes-admin           Approved,Failed
csr-2km9d   65m     <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet>   system:bootstrap:96771a    Approved,Issued
csr-fm47l   65m     <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet>   system:node:controlplane   Approved,Issued
#2

Andrei Zimin:
I used the yaml file from the answers:

apiVersion: <http://certificates.k8s.io/v1beta1|certificates.k8s.io/v1beta1>
kind: CertificateSigningRequest
metadata:
  name: akshay
spec:
  signerName: <http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client>
  groups:
  - system:authenticated
  request: LS0...QT
  usages:
  - digital signature
  - key encipherment
  - server auth
#3

Mohamed Ayman:
This is not a wrong answer since the question does not required that the certificate should not be failed
And in the next question, you are required to count the number of approved and failed certificates

#4

Praveen Viswanath:
try like below
apiVersion: http://certificates.k8s.io/v1|certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: akshay
spec:
groups:

  • system:authenticated
    request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZVzVuWld4aE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQTByczhJTHRHdTYxakx2dHhWTTJSVlRWMDNHWlJTWWw0dWluVWo4RElaWjBOCnR2MUZtRVFSd3VoaUZsOFEzcWl0Qm0wMUFSMkNJVXBGd2ZzSjZ4MXF3ckJzVkhZbGlBNVhwRVpZM3ExcGswSDQKM3Z3aGJlK1o2MVNrVHF5SVBYUUwrTWM5T1Nsbm0xb0R2N0NtSkZNMUlMRVI3QTVGZnZKOEdFRjJ6dHBoaUlFMwpub1dtdHNZb3JuT2wzc2lHQ2ZGZzR4Zmd4eW8ybmlneFNVekl1bXNnVm9PM2ttT0x1RVF6cXpkakJ3TFJXbWlECklmMXBMWnoyalVnald4UkhCM1gyWnVVV1d1T09PZnpXM01LaE8ybHEvZi9DdS8wYk83c0x0MCt3U2ZMSU91TFcKcW90blZtRmxMMytqTy82WDNDKzBERHk5aUtwbXJjVDBnWGZLemE1dHJRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBR05WdmVIOGR4ZzNvK21VeVRkbmFjVmQ1N24zSkExdnZEU1JWREkyQTZ1eXN3ZFp1L1BVCkkwZXpZWFV0RVNnSk1IRmQycVVNMjNuNVJsSXJ3R0xuUXFISUh5VStWWHhsdnZsRnpNOVpEWllSTmU3QlJvYXgKQVlEdUI5STZXT3FYbkFvczFqRmxNUG5NbFpqdU5kSGxpT1BjTU1oNndLaTZzZFhpVStHYTJ2RUVLY01jSVUyRgpvU2djUWdMYTk0aEpacGk3ZnNMdm1OQUxoT045UHdNMGM1dVJVejV4T0dGMUtCbWRSeEgvbUNOS2JKYjFRQm1HCkkwYitEUEdaTktXTU0xMzhIQXdoV0tkNjVoVHdYOWl4V3ZHMkh4TG1WQzg0L1BHT0tWQW9FNkpsYWFHdTlQVmkKdjlOSjVaZlZrcXdCd0hKbzZXdk9xVlA3SVFjZmg3d0drWm89Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
    signerName: http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client
    usages:
  • client auth

Save as cer.yaml

k apply -f cer.yaml

You can refer to this link to section Create CertificateSigningReques
then in the next question you can approver the certificate

#5

Andrei Zimin:
Thank you, @Praveen Viswanath . Now it shows as “Issued”.