Checking and approving pending CSRs in an OpenShift Cluster

November 16, 2021

After installing an OpenShift cluster, it’s essential to log in and check for Certificate Signing Requests (CSRs). Regularly monitoring and approving these requests ensures that nodes and services in your cluster are correctly authenticated and authorized.

[admin@ocp4 try]$ oc get csr
NAME        AGE     SIGNERNAME                                    REQUESTOR                                        CONDITION
csr-6m4m7   4m29s   kubernetes.io/kube-apiserver-client-kubelet   system:node:etcd-2.okd4.home.lab                 Approved,Issued
csr-7qww9   4m13s   kubernetes.io/kube-apiserver-client-kubelet   system:node:okd4-compute-1.okd4.home.lab         Approved,Issued
csr-glzgb   4m29s   kubernetes.io/kube-apiserver-client-kubelet   system:node:okd4-control-plane-1.okd4.home.lab   Pending
csr-lsdcc   4m19s   kubernetes.io/kube-apiserver-client-kubelet   system:node:etcd-3.okd4.home.lab                 Pending
csr-nwjpv   35s     kubernetes.io/kube-apiserver-client-kubelet   system:node:okd4-control-plane-1.okd4.home.lab   Approved,Issued

As shown above, some certificates are in a ‘Pending’ status. To approve each of them manually, use the following command:

oc adm certificate approve <csr_name>

Alternatively, you can use the jq tool to approve all pending CSRs at once:

[admin@ocp4 try]$ oc get csr -ojson | jq -r '.items[] | select(.status == {} ) | .metadata.name' | xargs oc adm certificate approve
certificatesigningrequest.certificates.k8s.io/csr-glzgb approved
certificatesigningrequest.certificates.k8s.io/csr-lsdcc approved

After running the approval commands, verify that all CSRs have been approved:

[admin@ocp4 try]$ oc get csr
NAME        AGE     SIGNERNAME                                    REQUESTOR                                        CONDITION
csr-6m4m7   5m5s    kubernetes.io/kube-apiserver-client-kubelet   system:node:etcd-2.okd4.home.lab                 Approved,Issued
csr-7qww9   4m49s   kubernetes.io/kube-apiserver-client-kubelet   system:node:okd4-compute-1.okd4.home.lab         Approved,Issued
csr-glzgb   5m5s    kubernetes.io/kube-apiserver-client-kubelet   system:node:okd4-control-plane-1.okd4.home.lab   Approved,Issued
csr-lsdcc   4m55s   kubernetes.io/kube-apiserver-client-kubelet   system:node:etcd-3.okd4.home.lab                 Approved,Issued
csr-nwjpv   71s     kubernetes.io/kube-apiserver-client-kubelet   system:node:okd4-control-plane-1.okd4.home.lab   Approved,Issued
[admin@ocp4 try]$ 

Regularly checking and approving pending CSRs is a vital administrative task in managing an OpenShift cluster. This process helps maintain the security and proper functioning of the cluster.

Checking and approving pending CSRs in an OpenShift Cluster

You may also enjoy

Kubernetes Network

Force deleting stuck resources in Kubernetes

Installing Kubernetes Cluster at the Homelab: Cluster setup

Installing Kubernetes Cluster at the Homelab: Installation