@Tej_Singh_Rana @Mohamed Ayman, In Mock2 Q6,PFB: Create a new user called `john . . .

kodekloud · May 30, 2021, 12:47pm

V S Charan kumar Reddy Bakka:
@Tej_Singh_Rana @Mohamed Ayman,
In Mock2 Q6,PFB:
Create a new user called john. Grant him access to the cluster. John should have permission to create, list, get, update and delete pods in the development namespace . The private key exists in the location: /root/CKA/john.key and csr at /root/CKA/john.csr

After i create and Approve CSR, it goes to Approved, Failed Status…can you help me with this?

controlplane $ kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
john-developer 87s http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet kubernetes-admin Approved,Failed

-----------YAML USED for CSR---------

apiVersion: http://certificates.k8s.io/v1|certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: john-developer
spec:
groups:

system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZEQ0NBVHdDQVFBd0R6RU5NQXNHQTFVRUF3d0VhbTlvYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRApnZ0VQQURDQ0FRb0NnZ0VCQUsvSnlxNGg5cVNEcG4wVEJDdU1zc0w0MjN2MTUrbTRMVE8xbEVaRnV6aXgvaVZHCm5PQktWUGZTcmdxZ1dVeXhXMDNHTTA0cFV2dmF4eU5pV1F4ZDVmaFkyMzJrMWVPanhWV0Nuam5pWDhON284UHkKYXR5VHpYNWh0Nk1IbnJxeEwzbnIwS25zU0ZiaER2dDQ2NXJ2ZlR3NnpSaHBkNVR4ZDV6R2ZBT3RXdzhhWG9ZRQozRVpiY0xUR2IxS2w1SGs2Z2lCVGJweDVYaWhCS3JkbGNaU25HUVAwd3NiVDdnS2RWSjFvZWZkOExjTXNxRlFsCkRiMmluK3pLZUVvazRVVnp6aXMwVHJsK2xTMVNPU0RGcDRUWVJDdGVYWml1UUFUd2ZYK0hQc2xvNnEzZW9pMzUKMlo5WkR5YWV1aHNYb0dGOUhCSGp1OWdiQW1SaU9EL1lSMUFXZ1RFQ0F3RUFBYUFBTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQmtCNTRWSjFxK2c5M09MNEhjMHdKRlplS254OXRpd1Q4ZmFsamgvZG0vTDRkMjNEUnYwazNXCitKb3hDbmpiZkNrOG5TTVc2aDNubUJETWQvNEpKUHZFeXZxMWhyV1JrNU5raUFzWjFWYTI3ditpOUhDcnlyUXgKSUxsK3ZHc3ZMc3V6anFzWWhMSU9VaVEyY2VtQ3RqeUo1VzZwUkpNbU5ZU1FuZUxEUk5BOFBzdFp3UFdSdEVGTwpobHlqUEJEMFh4L0FGSHZkanNiaHJYVVhxMHVyYnYyS3NSdk9Fem5SVW1vUG9RUlJIVXJxZ0tLQ2xsZjZvVHFzCm9Gbm1SWmszS09TMElMRFBVVUc4cDhSQjV3RGNaQ01ENms4WHB1cHViWmUrVVRrU2VPSThGT3BVcVQ2aktrU2kKcHNFVVR4ZzRuT0NPbVpIZVM5czRLUXVIUDFPeFBPVWEKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
signerName: http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet
usages:
digital signature
key encipherment
server auth

kodekloud · May 30, 2021, 12:47pm

Mohamed Ayman:
Please try to create this file
$vi certificatesigning.yml

apiVersion: http://certificates.k8s.io/v1|certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: john-developer
spec:
groups:

system:authenticated
request: $(cat john.csr | base64 | tr -d “\n”)
signerName: http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client
usages:
client auth

Then approve it
$ kubectl certificate approve john-developer

kodekloud · May 30, 2021, 12:47pm

V S Charan kumar Reddy Bakka:
@Mohamed Ayman So ,you mean to say the issue was with signerName only or usages aswel? Can you explain a bit?

kodekloud · May 30, 2021, 12:47pm

PR:
Signer name is correct but under usage it should be client auth which is mention in doc and use cat john.csr | base64 | tr -d “\n” command, copy and paste like this. request: LS0tLS…I got the same error when i paste the code under the request look at this doc

kodekloud · May 30, 2021, 12:47pm

PR:
https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#create-certificatesigningrequest