Hi Is there a solution video for Create a Pod called redis-storage with image: r . . .

Norrin Radd:
Hi Is there a solution video for Create a Pod called redis-storage with image: redis:alpine with a Volume of type emptyDir that lasts for the life of the Pod and I’m having some trouble with approving a cert, after approving, condition is “Approved,Failed” I’ve set the signerName to http://kubernetes.io/kubelet-serving|kubernetes.io/kubelet-serving …any thoughts?

Alicio Cerqueira:
Have you followed this doc ?
https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#normal-user
just did it …and worked like a charm.

Alicio Cerqueira:
note that the signer name used there was

signerName: <http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client>

Alicio Cerqueira:
and has added the user to

groups:
  - system:authenticated

on its creation

Norrin Radd:
Thanks Alicio… I’ll give that a whirl

Norrin Radd:
@Alicio Cerqueira quick question, does that authenticate using server auth or just client auth?

Alicio Cerqueira:
In fact…I did not check if it got authenticated…
I just approve the CSR…and to check the permissions… I used the
kubectl auth can-i --as=username list pv

Alicio Cerqueira:
to create the CSR, create the csr manifest as per documentation… and use the csr file in base 64

Alicio Cerqueira:
in order to really test the autentication process… you will need to create a kubeconfig

Norrin Radd:
@Alicio Cerqueira Thanks for that, I get a positive response whenever I run can-i as user, however the condition is still set as “Approved,Failed”.

Norrin Radd:
I might have missed something in the docs, more reading to do i guess

Alicio Cerqueira:
I had this kind of problem… and to solve it, I copied the csr.yaml of the documentation and just replaced the csr in base64… nothing special was done

Norrin Radd:
is the csr.yaml in the link you sent earlier?

Alicio Cerqueira:
exactly.
just copy that manifest and replace it with the csr given by the question… convert it to base64 and replace it there.

Alicio Cerqueira:

apiVersion: <http://certificates.k8s.io/v1|certificates.k8s.io/v1>
kind: CertificateSigningRequest
metadata:
  name: john
spec:
  groups:
  - system:authenticated
  request: &lt;BASE64-CSR-HERE&gt;
  signerName: <http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client>
  usages:
  - client auth

Alicio Cerqueira:
apply this yaml and…approve the csr. I think that for the question…the user shoud be john-developer… I dont remember…