When adding new nodes to the cluster in OpenShift, CSRs are generated at the nodes level and sent to the API Server for signing. You need to approve the certificate signing requests for the bootsrapping to complete. This short guide will demonstrate how you can list pending CSRs and approve in the cluster.
Login to the Bastion machine where oc command line tool has been installed and configured. Confirm you can connect to the cluster by checking available nodes.
oc get nodes
If you get the error message:
error: You must be logged in to the server (Unauthorized)Then check if correct kubeconfig file is referenced.
List Pending CSR in OpenShift 4.x
To list all certificate signing requests – both recently approved and pending, run the following command:
$ oc get csr
NAME AGE REQUESTOR CONDITION
csr-bw4xs 45m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Approved,Issued
csr-jqnrf 22m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Approved,Issued
csr-ksdzn 6m51s system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Approved,Issued
csr-sbkbh 4m21s system:serviceaccount:openshift-machine-config-operator:node-bootstrapper PendingYou can further filter the output to get only ones Pending approval:
$ oc get csr | grep -i pending
csr-sbkbh 5m4s system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending
Approve Pending CSR in OpenShift 4.x
To approve single CSR using the name:
oc adm certificate approve <certname>To approve all Pending CSRs with single command:
oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approveOr with the command:
for i in `oc get csr --no-headers | grep -i pending | awk '{ print $1 }'`; do oc adm certificate approve $i; doneWith jq command:
The same approval of multiple requests can be accomplished with the help jq command. First install it into your machine.
### CentOS / Fedora / RHEL ###
sudo yum -y install epel-release
sudo yum -y install jq
### Ubuntu / Debian ###
sudo apt update && sudo apt install jq
Then you can run the following command to approve all pending CSRs.
oc get csr -ojson | jq -r '.items[] | select(.status == {} ) | .metadata.name' | xargs oc adm certificate approveExample output for approval of pending CSRs.
certificatesigningrequest.certificates.k8s.io/csr-sbkbh approved
certificatesigningrequest.certificates.k8s.io/csr-8crtk approvedNow confirm that all worker machines are part of the Cluster and in Ready state:
oc get nodesIf you want to have automatic approvals every single minute you can do a simple bash script like below.
#!/bin/bash
# Get and approve pending openshift csr
for i in `oc get csr | grep -i pending | awk '{ print $1 }'`; do oc adm certificate approve $i; done
Cronjob can be used to check for requests in the background and approve them accordingly.
More guides on OpenShift:
How To Send OpenShift Logs and Events to Splunk
How to run telnet / tcpdump in OpenShift v4 CoreOS Nodes
