I am wondering why Practice Test - Certificates API LAB use Kubernetes version 1 . . .

George Lazaroff:
I am wondering why Practice Test - Certificates API LAB use Kubernetes version 1.18, not 1.19, in order to create CertificateSigningRequest
I had to use v1beta1 API version, the template for 1.18 not for 1.19

controlplane $ kubectl get node -o wide
NAME           STATUS   ROLES    AGE    VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION       CONTAINER-RUNTIME
controlplane   Ready    master   2m8s   v1.18.0   172.17.0.48   &lt;none&gt;        Ubuntu 18.04.5 LTS   4.15.0-122-generic   <docker://19.3.13>
node01         Ready    &lt;none&gt;   96s    v1.18.0   172.17.0.51   &lt;none&gt;        Ubuntu 18.04.5 LTS   4.15.0-122-generic   <docker://19.3.13>

and my second question is - during on the exam if we will have questions related to CertificateSigningRequest I didn’t see anywhere in K8s doc info for these options below, there is only info for `client auth`` is it enogh?

  usages:
  - digital signature
  - key encipherment
  - server auth

George Lazaroff:

controlplane $ vim ak.yaml
controlplane $ kubectl apply -f ak.yaml
error: unable to recognize "ak.yaml": no matches for kind "CertificateSigningRequest" in version "<http://certificates.k8s.io/v1|certificates.k8s.io/v1>"
controlplane $ cat ak.yaml
apiVersion: <http://certificates.k8s.io/v1|certificates.k8s.io/v1>
kind: CertificateSigningRequest
metadata:
  name: my-svc.my-namespace
spec:
  request: $(cat /root/akshay.csr | base64 | tr -d '\n')
  signerName: <http://kubernetes.io/kubelet-serving|kubernetes.io/kubelet-serving>
  usages:
  - digital signature
  - key encipherment
  - server auth

Sapan Kumar:
+1 , my lab answers worked with ‘-client auth’ but i had the same question, the documentation has only this example that uses client auth only. https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#create-certificatesigningrequest

Sapan Kumar:
reg, lab version you can try and upgrade to 1.19, hardly takes 10 minutes and it also gives you additional practice for upgrade task

George Lazaroff:

controlplane $ cat <<EOF | kubectl apply -f -
apiVersion: <http://certificates.k8s.io/v1beta1|certificates.k8s.io/v1beta1>
kind: CertificateSigningRequest
metadata:
  name: akshay
spec:
  groups:
  - system:authenticated
  request: $(cat /root/akshay.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

<http://certificatesigningrequest.certificates.k8s.io/akshay|certificatesigningrequest.certificates.k8s.io/akshay> created
controlplane $
controlplane $
controlplane $ kubectl get csr
NAME        AGE   SIGNERNAME                                    REQUESTOR                  CONDITION
akshay      46s   <http://kubernetes.io/legacy-unknown|kubernetes.io/legacy-unknown>                  kubernetes-admin           Approved,Issued
csr-dmtqs   35m   <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet>   system:bootstrap:96771a    Approved,Issued
csr-wj8wk   36m   <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet>   system:node:controlplane   Approved,Issued

George Lazaroff:
@Sapan Kumar good idea to upgrade the master node

George Lazaroff:
is there any task for CertificateSigningRequest in CKA exam

George Lazaroff:

 cat <<EOF | kubectl apply -f -
apiVersion: <http://certificates.k8s.io/v1|certificates.k8s.io/v1>
kind: CertificateSigningRequest
metadata:
  name: akshay
spec:
  groups:
  - system:authenticated
  request: $(cat /root/akshay.csr | base64 | tr -d '\n')
  signerName: <http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client>
  usages:
  - client auth
EOF

<http://certificatesigningrequest.certificates.k8s.io/akshay|certificatesigningrequest.certificates.k8s.io/akshay> created
controlplane $ kubectl certificate approve akshay
No resources found
error: no kind "CertificateSigningRequest" is registered for version "<http://certificates.k8s.io/v1|certificates.k8s.io/v1>" in scheme "<http://k8s.io/kubectl/pkg/scheme/scheme.go:28|k8s.io/kubectl/pkg/scheme/scheme.go:28>"
controlplane $

George Lazaroff:
I had to upgrade kubectl tool to 1.19.0-00 versio nas well

George Lazaroff:

controlplane $ cat <<EOF | kubectl apply -f -
apiVersion: <http://certificates.k8s.io/v1|certificates.k8s.io/v1>
kind: CertificateSigningRequest
metadata:
  name: akshay
spec:
  groups:
  - system:authenticated
  request: $(cat /root/akshay.csr | base64 | tr -d '\n')
  signerName: <http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client>
  usages:
  - client auth
EOF
<http://certificatesigningrequest.certificates.k8s.io/akshay|certificatesigningrequest.certificates.k8s.io/akshay> created
controlplane $
controlplane $
controlplane $ kubectl certificate approve akshay
<http://certificatesigningrequest.certificates.k8s.io/akshay|certificatesigningrequest.certificates.k8s.io/akshay> approved
controlplane $ kubectl get csr
NAME        AGE   SIGNERNAME                                    REQUESTOR                  CONDITION
akshay      10s   <http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client>           kubernetes-admin           Approved,Issued
csr-dmtqs   53m   <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet>   system:bootstrap:96771a    Approved,Issued
csr-wj8wk   54m   <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet>   system:node:controlplane   Approved,Issued
controlplane $
controlplane $

Tej_Singh_Rana:
All labs upgraded to v1.19.

Tej_Singh_Rana:
I will check for that.