How To List and Approve Pending CSR in OpenShift 4.x

Posted on 278 views

When adding new nodes to the cluster in OpenShift, CSRs are generated at the nodes level and sent to the API Server for signing. You need to approve the certificate signing requests for the bootsrapping to complete. This short guide will demonstrate how you can list pending CSRs and approve in the cluster.

Login to the Bastion machine where oc command line tool has been installed and configured. Confirm you can connect to the cluster by checking available nodes.

$ oc get nodes

If you get the error message:

error: You must be logged in to the server (Unauthorized)

Then check if correct kubeconfig file is referenced.

List Pending CSR in OpenShift 4.x

To list all certificate signing requests – both recently approved and pending, run the following command:

$ oc get csr
NAME        AGE     REQUESTOR                                                                   CONDITION
csr-bw4xs   45m     system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Approved,Issued
csr-jqnrf   22m     system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Approved,Issued
csr-ksdzn   6m51s   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Approved,Issued
csr-sbkbh   4m21s   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending

You can further filter the output to get only ones Pending approval:

$ oc get csr | grep -i pending
csr-sbkbh   5m4s    system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending

Approve Pending CSR in OpenShift 4.x

To approve single CSR using the name:

oc adm certificate approve 

To approve all Pending CSRs with single command:

oc get csr -o go-template='range .itemsif not"\n"endend' | xargs oc adm certificate approve

Or with the command:

for i in `oc get csr --no-headers | grep -i pending |  awk ' print $1 '`; do oc adm certificate approve $i; done

With jq command:

The same approval of multiple requests can be accomplished with the help jq command. First install it into your machine.

### CentOS / Fedora / RHEL ###
sudo yum -y install epel-release
sudo yum -y install jq

### Ubuntu / Debian ###
$ sudo apt install jq

Then you can run the following command to approve all pending CSRs.

oc get csr -ojson | jq -r '.items[] | select(.status ==  ) |' | xargs oc adm certificate approve

Example output for approval of pending CSRs. approved approved

Now confirm that all worker machines are part of the Cluster and in Ready state:

$ oc get nodes

If you want to have automatic approvals every single minute you can do a simple bash script like below.

# Get and approve pending openshift csr
for i in `oc get csr | grep -i pending |  awk ' print $1 '`; do oc adm certificate approve $i; done

Cronjob can be used to check for requests in the background and approve them accordingly.

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.