How to list and approve pending CSRs in OpenShift 4.x

You can download this article in PDF format via the link below to support us.
Download the guide in PDF formatturn off

When adding a new node to the cluster in OpenShift, the CSR is generated at the node level and sent to the API server for signing. You need to approve the certificate signing request to complete the bootstrapping. This short guide will demonstrate how to list pending CSRs and approve them in the cluster.

Log in to the bastion machine, where OC The command line tool has been installed and configured. Confirm that you can connect to the cluster by checking the available nodes.

$ oc get nodes

If you receive an error message:

error: You must be logged in to the server (Unauthorized)

Then check whether the correct kubeconfig file is referenced.

List pending CSRs in OpenShift 4.x

To list all certificate signing requests (including the most recently approved and pending), run the following command:

$ oc get csr
NAME        AGE     REQUESTOR                                                                   CONDITION
csr-bw4xs   45m     system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Approved,Issued
csr-jqnrf   22m     system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Approved,Issued
csr-ksdzn   6m51s   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Approved,Issued
csr-sbkbh   4m21s   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending

You can further filter the output to get only one pending approval:

$ oc get csr | grep -i pending
csr-sbkbh   5m4s    system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending

Approve pending CSR in OpenShift 4.x

To approve a single CSR by name:

$ oc adm certificate approve <certname>

To approve all pending CSRs with a single command:

for i in `oc get csr --no-headers | grep -i pending |  awk '{ print $1 }'`; do oc adm certificate approve $i; done

Use the jq command:

You can use the help jq command to complete the same approval for multiple requests. Install it on your computer first.

--- CentOS / Fedora / RHEL ---
$ sudo yum -y install jq

--- Ubuntu / Debian ---
$ sudo apt install jq

Then, you can run the following command to approve all pending CSRs.

oc get csr -ojson | jq -r '.items[] | select(.status == {} ) | .metadata.name' | xargs oc adm certificate approve

Sample output for approval of pending CSR.

certificatesigningrequest.certificates.k8s.io/csr-sbkbh approved
certificatesigningrequest.certificates.k8s.io/csr-8crtk approved

Now, confirm that all auxiliary computers belong to the cluster and are in a ready state:

$ oc get nodes

If you want automatic approval every minute, you can execute the following simple bash script.

#!/bin/bash
# Get and approve pending openshift csr
for i in `oc get csr | grep -i pending |  awk '{ print $1 }'`; do oc adm certificate approve $i; done

Cronjob can be used to check requests in the background and approve them accordingly.

More guides about OpenShift:

How to send OpenShift logs and events to Splunk

How to run telnet/tcpdump in OpenShift v4 CoreOS node

Grant users access to projects/namespaces in OpenShift

How to install ArgoCD on an OpenShift cluster

You can download this article in PDF format via the link below to support us.
Download the guide in PDF formatturn off

Sidebar