CKA Mock exam2 : Question 5 issue

sakshibag80 · July 8, 2025, 8:19am

Hi Team,

I need assistance with this question. I am not sure why CSR is approved and failed . Kindly assist. Kindly assist. Thanks!

Q: ssh cluster1-controlplane to solve this question.

Create a new user called john. Grant him access to the cluster using a csr named john-developer. Create a role developer which should grant John the permission to create, list, get, update and delete pods in the development namespace . The private key exists in the location: /root/CKA/john.key and csr at /root/CKA/john.csr.

Important Note: As of kubernetes 1.19, the CertificateSigningRequest object expects a signerName.

My answer:

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: john-developer
spec:
  request: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZEQ0NBVHdDQVFBd0R6RU5NQXNHQTFVRUF3d0VhbTlvYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRApnZ0VQQURDQ0FRb0NnZ0VCQUpROHBWZ1V2UGV0YzQzYS9tRCs0OFF4b0NCMkVUb3FBbTJ5RVZpdUJzWTd0c1RCCkIrVVNGSEZ5enBuT21MTG9RenMyeWNEUGR2T3k3djh4OUoydDF6ZTdhTEU5N0hGUFhaQ1RWeUdta0NZNThhYVgKcVFWYi9abm9ySlRNaGY4c0hnVkNSeTVlUjl4QzNHZXU5eXJrek5vTmd4VktabHNNelVvaUtSWDNvWW9yVC83dAp0UXAvWkY5SEZ0Tnp3bWNkN3lFRFZEN1ovVkd2NDgvZURObThvS1pFRzVFUHN6dGFNNDNXb0VuR3JhVENMMjNpCjVCOWZEcHNBdXlmS3o0WHV1R0ExZWRWZERCdXg2MWMza0oyeC83Y2pDSGVlaHp3Wnptd0ZNS0tCaHZSVkFsSm0KRFRHSzkyQmVLNm5TTVFlZ1Y5bTZqaDl5aWh5ZmdCYXowY21iMFJzQ0F3RUFBYUFBTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQWxjSUNFUG0wclo4ZjhYYTRqTUVEY2J6dnZqMlhIUllCbk5kTnpOREU0T2U3NGp0MnZaRmZpCmJKMVh1YXpyQklhNStxMjhNZ0dickxFWHBhbDBRRG9yVHQ1N1lmZEV1NlRXbVJwL2lPbUNMMkVtNjhZN3QvSEYKOE4wbnpXOTA4ODBPZ1F4TkhlaTZ5L2p6RWw0a1Bhb3gzUDRiRUd3ZE8xMFJLWmxmS29mR3dBcnRLN01qQ2pqVApFcWdmbVMrUnFidXBjTDRUZE5sNmoyejlOL2x2VmllRXA0UWYwbEI1MTBSWjJLUmg3d1h1R20rUlZHYm5FdVRFCkNQUVgyNzhrTDFMcFpubXJyWGI2V3ZOMXlWZVBiMVliL01CNHdQQW9TSTdXcUdMZk9INU0wa2p3SmYzN1JSTEcKRUF3ekswR3dGa1krcHQxaSt2MVhUcTJoYlU0bTZYKzQKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg=="
  signerName: "kubernetes.io/kube-apiserver-client"
  usages:
  - digital signature
  - key encipherment
  - server auth
  
  cluster1-controlplane ~ ➜  k get csr
NAME             AGE   SIGNERNAME                            REQUESTOR          REQUESTEDDURATION   CONDITION
john-developer   57m   kubernetes.io/kube-apiserver-client   kubernetes-admin   <none>              **Approved,Failed**
~      

luster1-controlplane ~ ➜  k describe rolebindings.rbac.authorization.k8s.io  -n development
Name:         developer
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  developer
Subjects:
  Kind  Name  Namespace
  ----  ----  ---------
  User  john  

cluster1-controlplane ~ ➜  k describe role  -n development
Name:         developer
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods       []                 []              [create list get update delete]

cluster1-controlplane ~ ➜  kubectl auth can-i update pods --as=john --namespace=development
yes

cluster1-controlplane ~ ➜  kubectl auth can-i create pods --as=john --namespace=development
yes

cluster1-controlplane ~ ➜  kubectl auth can-i list  pods --as=john --namespace=development
yes

cluster1-controlplane ~ ➜  kubectl auth can-i delet pods --as=john --namespace=development
Warning: verb 'delet' is not a known verb

no

cluster1-controlplane ~ ✖ kubectl auth can-i delete pods --as=john --namespace=development
yes     

cluster1-controlplane ~ ➜  k get role  -o yaml -n development
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    creationTimestamp: "2025-07-08T02:53:19Z"
    name: developer
    namespace: development
    resourceVersion: "14459"
    uid: 3402bb2d-2c88-44ad-95c2-08676669f8a6
  rules:
  - apiGroups:
    - ""
    resources:
    - pods
    verbs:
    - create
    - list
    - get
    - update
    - delete
kind: List
metadata:
  resourceVersion: ""

cluster1-controlplane ~ ➜  k get rolebindings.rbac.authorization.k8s.io  -o yaml -n development
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    creationTimestamp: "2025-07-08T02:54:40Z"
    name: developer
    namespace: development
    resourceVersion: "14624"
    uid: 1888748a-8f9f-4597-9a16-fb38af136ae1
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: developer
  subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: john
kind: List
metadata:
  resourceVersion: ""

Santosh_KodeKloud · July 8, 2025, 8:53am

Hi @sakshibag80

The first thing that looks odd is that the usage has a value of server auth. As john-developer would be a client talking to the APIServer, that needs to be client auth.

sakshibag80 · July 15, 2025, 7:55am

Hi @Santosh_KodeKloud ,

Thanks for the reply.

The issue got resolved after changing server auth to client` auth .

Below is from Kubernetes documentation which needs to be updated

cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: my-svc.my-namespace
spec:
  request: $(cat server.csr | base64 | tr -d '\n')
  signerName: example.com/serving
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

Santosh_KodeKloud · July 15, 2025, 8:25am

This Pod exposes a TLS endpoint and is reached via a Service DNS name, so its certificate must include the server auth usage to prove the server’s identity during the TLS handshake.

By contrast, when you generate a certificate for a client—such as kubectl or a service account—you include the client auth usage so the API server (or any other TLS server) can verify the client’s identity.