kubernetescsrkubelet

How can I do this to approve a CSR in the Denied state?


View node status:kubectl get csr

[root@kube1 ~]# kubectl get csr
NAME                                                   AGE    REQUESTOR                 CONDITION
node-csr--jJF_sRckTdhoqAOYB4fEaA06Juwv32d1RFwzcbbE0c   150m   system:bootstrap:gn5vla   Pending
node-csr-KMkTDLPqhj52YxZFS8vEOiqMt1NXVEcYvmvUJAhxhwg   150m   system:bootstrap:xay6t6   Pending
node-csr-bv18tH4pK-xq7Ekwv0IuzD4CcBuvKjjdonBjpKqHuPQ   150m   system:bootstrap:v1g4p2   Pending

Perform a refusal:

kubectl get csr | grep Pending| awk '{print $1}' | xargs kubectl certificate deny

View node status again:kubectl get csr

[root@kube1 ~]# kubectl get csr
NAME                                                   AGE    REQUESTOR                 CONDITION
node-csr--jJF_sRckTdhoqAOYB4fEaA06Juwv32d1RFwzcbbE0c   150m   system:bootstrap:gn5vla   Denied
node-csr-KMkTDLPqhj52YxZFS8vEOiqMt1NXVEcYvmvUJAhxhwg   150m   system:bootstrap:xay6t6   Denied
node-csr-bv18tH4pK-xq7Ekwv0IuzD4CcBuvKjjdonBjpKqHuPQ   150m   system:bootstrap:v1g4p2   Denied

How can I do this to approve a CSR in the Denied state?


Solution

  • Short answer, you can't. Once you deny a CSR you need issue a new CSR and approve it if you want to. You can delete denied CSRs if you don't want to see them there with:

     kubectl delete csr <csr-name>
    

    Additionally, To delete all denied requests use:

    kubectl get csr | grep Denied | awk '{print $1;}' | xargs kubectl delete csr