Hello all, I am practicing CKA, Mock-Exam-2 Here Question regaqrding john user . . .

Raja g:
Hello all,

I am practicing CKA, Mock-Exam-2

Here Question regaqrding john user csr approve…

I created csr for john-developer

controlplane $ kubectl apply -f john.yml
http://certificatesigningrequest.certificates.k8s.io/john-developer|certificatesigningrequest.certificates.k8s.io/john-developer created

controlplane $ kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
csr-btk8j 44m http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet system:bootstrap:96771a Approved,Issued
csr-gnvdl 44m http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane Approved,Issued
john-developer 8s http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client kubernetes-admin Pending

also approved it :

controlplane $ kubectl certificate approve john-developer
http://certificatesigningrequest.certificates.k8s.io/john-developer|certificatesigningrequest.certificates.k8s.io/john-developer approved

But, when I check the approved status it was approved… not Issued…

controlplane $ kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
csr-btk8j 44m http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet system:bootstrap:96771a Approved,Issued
csr-gnvdl 45m http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane Approved,Issued
john-developer 35s http://kubernetes.io/kube-apiserver-client|kubernetes.io/kube-apiserver-client kubernetes-admin Approved,Failed

please help me where I was wrong…

below is csr yaml file and result for your ref:

Thanks in advance…


Frankube:
Hi, the “client auth” should be not commented…and delete evethings in the bracket, please try again

Raja g:
Hey Frankube… It worked… Thanks…

But, still I just want to understand the diff b/w

[ “digital signature”, “key encipherment”, “server auth”] and “client auth”…

why it was not issued with [ “digital signature”, “key encipherment”, “server auth”] values before.?

could you please explain that…

Frankube:
They are others authentication that you don’t use…

Frankube:
https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#create-certificatesigningrequest

Frankube:
• "usages has to be ‘client auth
"

Mohamed Ayman:
Always check and use the documentation.

Raja g:
Thanks Frankube and MAyman…