While I am trying to approve the certificate for RBAC in Kubernetes I am getting error.
I create a certificate request for Kubernetes for student-csr
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: student-csr
spec:
groups:
- system:authenticated
request: <encoded key>
usages:
- digital signature
- key encipherment
- client authThen I ran kubectl create -f signing-request.yaml and out put was <pre>certificatesigningrequest.certificates.k8s.io/student-csr created</pre>
And then kubectl get csr shows
So far so good. But the problem occurred when I tried to approve it by kubectl certificate approve student-csr
I don't have any idea why. I tried to search but there is nothing similar to this kind of error.
Tools I am using:
*** Using minikube with minikube start --container-runtime=docker --vm-driver=virtualbox
Any kind of help much appreciated.
Thank you in advance.
It seems you have two version of csr. Change your student-csr version to certificates.k8s.io/v1 , it will work I guess.
The certificates controller is not enabled by default in Minikube, there is an opened issue : https://github.com/kubernetes/minikube/issues/1647
This is the reason why you can create your API object but cannot approve the certificate.
However, it may be possible to make it work using extra params : https://github.com/kubernetes/minikube/issues/1647#issuecomment-311138886
I got same issue as you with my minikube (minikube v1.24.0). Kubectl was not the reason of the error:
kubectl version --short
Client Version: v1.22.3
Server Version: v1.22.3Got the same error as you mentioned:
error: unable to recognize "*****.yml": no matches for kind "CertificateSigningRequest" in version "certificates.k8s.io/v1beta1"I solved the problem with changing the apiVersion and adding signerName items in my yaml file:
apiVersion: certificates.k8s.io/v1beta1
to
apiVersion: certificates.k8s.io/v1Successfully applied final maniefst file version is as below:
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: mycsr
spec:
groups:
- system:authenticated
request: <BASE64_CSR>
signerName: kubernetes.io/kube-apiserver
usages:
- digital signature
- key encipherment
- server auth
- client auth I faced this issue while I was running kubectl version v1.17 and my k8s cluster was version v1.19:
$ kubectl version --short
Client Version: v1.17.0
Server Version: v1.19.2I fixed it by updating my kubectl to v1.19
$ kubectl version --short
Client Version: v1.19.0
Server Version: v1.19.2In the Kubernetes v1.19 release notes you can find the following changes:
The
CertificateSigningRequestAPI is promoted tocertificates.k8s.io/v1with the following changes:
spec.signerNameis now required, and requests forkubernetes.io/legacy-unknownare not allowed to be created via thecertificates.k8s.io/v1API
spec.usages isnow required, may not contain duplicate values, and must only contain known usages
status.conditionsmay not contain duplicate types
status.conditions[*].statusis now required
status.certificatemust be PEM-encoded, and contain only CERTIFICATE blocks (#91685, @liggitt) SIG API Machinery, Architecture, Auth, CLI and Testing
So the error you see:
no kind "CertificateSigningRequest" is registered for version "certificates.k8s.io/v1"means that you should be using apiVersion: certificates.k8s.io/v1 instead of apiVersion: certificates.k8s.io/v1beta1.
In order to change your API versions you can use the kubectl convert command:
Convert config files between different API versions. Both YAML and JSON formats are accepted.
The command takes filename, directory, or URL as input, and convert it into format of version specified by
--output-versionflag. If target version is not specified or not supported, convert to latest version.
You might have skipped the configuring cgroup driver step when installing kubeadm Check out this resource: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#configuring-a-cgroup-driver