While I am trying to approve the certificate for RBAC in Kubernetes I am getting error.
I create a certificate request for Kubernetes for student-csr
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: student-csr
spec:
groups:
- system:authenticated
request: <encoded key>
usages:
- digital signature
- key encipherment
- client auth
Then I ran kubectl create -f signing-request.yaml
and out put was <pre>certificatesigningrequest.certificates.k8s.io/student-csr created</pre>
And then kubectl get csr
shows
So far so good. But the problem occurred when I tried to approve it by kubectl certificate approve student-csr
I don't have any idea why. I tried to search but there is nothing similar to this kind of error.
Tools I am using:
*** Using minikube with minikube start --container-runtime=docker --vm-driver=virtualbox
Any kind of help much appreciated.
Thank you in advance.
It seems you have two version of csr. Change your student-csr version to certificates.k8s.io/v1 , it will work I guess.
The certificates controller is not enabled by default in Minikube, there is an opened issue : https://github.com/kubernetes/minikube/issues/1647
This is the reason why you can create your API object but cannot approve the certificate.
However, it may be possible to make it work using extra params : https://github.com/kubernetes/minikube/issues/1647#issuecomment-311138886
I got same issue as you with my minikube (minikube v1.24.0). Kubectl was not the reason of the error:
kubectl version --short
Client Version: v1.22.3
Server Version: v1.22.3
Got the same error as you mentioned:
error: unable to recognize "*****.yml": no matches for kind "CertificateSigningRequest" in version "certificates.k8s.io/v1beta1"
I solved the problem with changing the apiVersion and adding signerName items in my yaml file:
apiVersion: certificates.k8s.io/v1beta1
to
apiVersion: certificates.k8s.io/v1
Successfully applied final maniefst file version is as below:
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: mycsr
spec:
groups:
- system:authenticated
request: <BASE64_CSR>
signerName: kubernetes.io/kube-apiserver
usages:
- digital signature
- key encipherment
- server auth
- client auth
I faced this issue while I was running kubectl version v1.17 and my k8s cluster was version v1.19:
$ kubectl version --short
Client Version: v1.17.0
Server Version: v1.19.2
I fixed it by updating my kubectl to v1.19
$ kubectl version --short
Client Version: v1.19.0
Server Version: v1.19.2
In the Kubernetes v1.19 release notes you can find the following changes:
The
CertificateSigningRequest
API is promoted tocertificates.k8s.io/v1
with the following changes:
spec.signerName
is now required, and requests forkubernetes.io/legacy-unknown
are not allowed to be created via thecertificates.k8s.io/v1
API
spec.usages is
now required, may not contain duplicate values, and must only contain known usages
status.conditions
may not contain duplicate types
status.conditions[*].status
is now required
status.certificate
must be PEM-encoded, and contain only CERTIFICATE blocks (#91685, @liggitt) SIG API Machinery, Architecture, Auth, CLI and Testing
So the error you see:
no kind "CertificateSigningRequest" is registered for version "certificates.k8s.io/v1"
means that you should be using apiVersion: certificates.k8s.io/v1
instead of apiVersion: certificates.k8s.io/v1beta1
.
In order to change your API versions you can use the kubectl convert
command:
Convert config files between different API versions. Both YAML and JSON formats are accepted.
The command takes filename, directory, or URL as input, and convert it into format of version specified by
--output-version
flag. If target version is not specified or not supported, convert to latest version.
You might have skipped the configuring cgroup driver step when installing kubeadm Check out this resource: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#configuring-a-cgroup-driver