In my k8s csr-auto-approver is used. After restarting kubelet, it started to deny CSR requests with the following reason:
Denying kubelet-serving CSR. Regex/IP checks failed. Reason:One of the SAN IP addresses, , is not contained in the set of resolved IP addresses, denying the CSR
How approver performs this check? And how to fix it?
The reason for denials is missing IP address based on the error you’ve mentioned. The approver checks if the IP addresses specified in CSR match the IP addresses of the node, if some requests are made without IP or there’s a mismatch it denies the request.
You need to check if your node IP address matches the CSR SAN field and you can update it with the correct one.
You can also approve the request manually. See this documentation for further information :
kubectl certificate approve <csr-name>
For additional Information see this documentation :