View node status:kubectl get csr
[root@kube1 ~]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr--jJF_sRckTdhoqAOYB4fEaA06Juwv32d1RFwzcbbE0c 150m system:bootstrap:gn5vla Pending
node-csr-KMkTDLPqhj52YxZFS8vEOiqMt1NXVEcYvmvUJAhxhwg 150m system:bootstrap:xay6t6 Pending
node-csr-bv18tH4pK-xq7Ekwv0IuzD4CcBuvKjjdonBjpKqHuPQ 150m system:bootstrap:v1g4p2 Pending
Perform a refusal:
kubectl get csr | grep Pending| awk '{print $1}' | xargs kubectl certificate deny
View node status again:kubectl get csr
[root@kube1 ~]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr--jJF_sRckTdhoqAOYB4fEaA06Juwv32d1RFwzcbbE0c 150m system:bootstrap:gn5vla Denied
node-csr-KMkTDLPqhj52YxZFS8vEOiqMt1NXVEcYvmvUJAhxhwg 150m system:bootstrap:xay6t6 Denied
node-csr-bv18tH4pK-xq7Ekwv0IuzD4CcBuvKjjdonBjpKqHuPQ 150m system:bootstrap:v1g4p2 Denied
How can I do this to approve a CSR in the Denied state?
Short answer, you can't. Once you deny a CSR you need issue a new CSR and approve it if you want to. You can delete denied CSRs if you don't want to see them there with:
kubectl delete csr <csr-name>
Additionally, To delete all denied requests use:
kubectl get csr | grep Denied | awk '{print $1;}' | xargs kubectl delete csr