Use Case: Create a CertificateSigningRequest object with the name
datalake
with the contents of the datalake.csr
filePlease note that an additional field called
signerName
should also be added when creating CSR. For client authentication to the API server we will use the built-in signer kubernetes.io/kube-apiserver-client.Step1: Download the sample file from https://github.com/prashant-raghava/CSR
devopsbaba~ ➜ cat > datalake.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: myuser
spec:
request: <CSR>
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
Step2: Update datalake.yaml and replace request section in file with datalake.csr. Before replacing we need to convert it to base64 format as shown below:
** Note: We did -w 0 to make it in a single line
devopsbaba~ ➜ cat datalake.csr | base64 -w 0
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5
dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQTB1M2hnQUYyd2xMYWRlZ1FFcnUwenFCMUxwWGFQbVlzT0t4NkZpMThzdDByCmdxaVRlbEhBakZkTC9tQlNqdlZETW
dqbW5hQjZ4MGZZaGxkdW41WEdFREtLdGh5RnB2Q3AzaG8rbVdqWkpqODcKYWxDSUJkUG40TXRmaW9ucW00a1FObVdpalhKOHdCQVBDY0c4cyt0OHB6dHI1ajFTS0JNZ
HZLTE5TcFZYUHEvNQpoQXJ6WWZZNm9pYkt1YWJ2b2dWejNHN0JhM3FxcENLOVFpc05WR0xEWXBQTVp3aE1TK0lYQmNBYjVLWWs5TWRNCjQvcmtvTENyUmdUOVAyR2
RJbWNLTCtZdXZvQXdHbkl6Mm1XSTBvend1ZlBYSGdQdnltcDdQSXlFU1hrVG9waDUKTUpEVnFqSlYxLy9BazZWZTRDUHRHcVpLNVRPZFFZUW1tZ2FMa2xLTEhRSURBUUF
Cb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBS3NnSUJBQ1VxMDFKNTNDdEJIaTF0RkxXaVZnNnpRdWFqVFpQeGx2QW9jb1dxS2pLUUR2CjRjSXlSV0k0QWpGUE
pXTEZ1TC9GbmxuTDlSK3pRemhuNHBWbHJRRVhhOXJkNVZLZEp4SkVCdVVSNDZJOXpBakEKVmFWYTNIVVZvUnZQZ1poT21HbVlCOCt2MllIWWZ6MXF5b0NuV0k4REI1R
jZseWpBTVpwUnlLSlZOalpxZWVDRApDZnlsQXBackpsOTk3OEhTN0ZnTk5Va3VoNDB0Q3QvdklIRDRiUmplWVZ4ZEx2S2JQTkorUXZvbDNUcHBDVDZBCmppc09iL3NyVFhBK
zJGd1d5aUtvRDJqTjlqWGNMdGtCb3h4dkpYWFp1NmRFek1vRG15L3lBV2JvZ2pPNDVndUUKbXhJMjFPbXNnU1ZqelZtSkhJTkV5UWxJK2ptUXNyNllrcTg9Ci0tLS0tRU5EIENFU
lRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
New datalake.yaml will look like below:
Step3: Create certificate request
devopsbaba~ ➜ kubectl create -f datalake.yaml
certificatesigningrequest.certificates.k8s.io/datalake created
Step4: Verify the request
devopsbaba~ ➜ kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
datalake 67s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Pending
csr-w424c 31m kubernetes.io/kube-apiserver-client-kubelet system:node:devopsbaba <none> Approved,Issued
Step5: Approve Certificate request:
devopsbaba~ kubectl certificate approve datalake
certificatesigningrequest.certificates.k8s.io/datalake approved
Step6: Check the CSR request available in the cluster
devopsbaba~ ➜ kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
datalake 67s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Approved
csr-w424c 31m kubernetes.io/kube-apiserver-client-kubelet system:node:devopsbaba <none> Approved,Issued
Step7: Delete and deny the certificate request. Check the request
devopsbaba~ ➜ kubectl get csr agent-smith -o yaml
Step8: Deny the certificate request received by agent-X
devopsbaba~ ➜ kubectl certificate deny agent-X
certificatesigningrequest.certificates.k8s.io/agent-X denied
Step9: Delete CSR object
devopsbaba~ ➜ kubectl delete csr agent-X
certificatesigningrequest.certificates.k8s.io "agent-X" deleted