Approving a CSR (Certificate Signing Request) generates a signed certificate that can be used to essentially communicate with the Kube API server. For example, you can specify that in the ~/.kube/config.
Let’s say we already have user1.key and user1.csr.
- Encode the CSR file into a single-line base64 string:
cat user1.csr | base64 -w 0 - Create a CSR object. Paste the result from step #1 to the request:
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: user1
spec:
groups:
- system:authenticated
request: # paste the base64-encoded CSR file here
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth- Check if CSR object is created. Notice it’s in Pending status.
k get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
user1 4s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Pending- Approve the request
k certificate approve user1
certificatesigningrequest.certificates.k8s.io/user1 approved- Check the CSR status
k get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
user1 17m kubernetes.io/kube-apiserver-client kubernetes-admin <none> Approved,Issued- Get the signed cert from the CSR object’s
status.certificate
kubectl get csr user1 -o jsonpath='{.status.certificate}' | base64 -d > approved.crt