Openshift - configure_CSR_autoapproval

 

This document describes how to add automatic approval of CSRs to an existing cluster. 

Also, you can set up this feature at the cluster installation time by adding a special variable to your inventory file:

openshift_master_bootstrap_auto_approve=true

This variable is mentioned here in OpenSHift docs.

Limitation

1. OpenShift cluster's version is 3.11
2. You must have cluster admin rights

1. login to the cluster with CLI or web console;

2. apply autoapprover.yml file from the web console or using CLI:

   oc apply -f autoapprover.yml

   
   

   Expand to see autoapprover.yml's content Collapse source

   kind: ClusterRole apiVersion: v1 metadata:  name: system:node-bootstrap-autoapprover rules: - apiGroups:  - certificates.k8s.io  resources:  - certificatesigningrequests  verbs:  - delete  - get  - list  - watch - apiGroups:  - certificates.k8s.io  resources:  - certificatesigningrequests/approval  verbs:  - create  - update --- kind: ServiceAccount apiVersion: v1 metadata:  name: bootstrap-autoapprover  namespace: openshift-infra --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata:  name: bootstrap-autoapprover roleRef:  kind: ClusterRole  name: system:node-bootstrap-autoapprover subjects: - kind: User  name: system:serviceaccount:openshift-infra:bootstrap-autoapprover apiVersion: rbac.authorization.k8s.io/v1 --- kind: StatefulSet apiVersion: apps/v1beta1 metadata:  name: bootstrap-autoapprover  namespace: openshift-infra  annotations:  image.openshift.io/triggers: |  [{"from":{"kind":"ImageStreamTag","name":"node:v3.11"},"fieldPath":"spec.template.spec.containers[?(@.name==\"signer\")].image"}] spec:  updateStrategy:  type: RollingUpdate  template:  metadata:  labels:  app: bootstrap-autoapprover  spec:  nodeSelector:  node-role.kubernetes.io/master: 'true'  serviceAccountName: bootstrap-autoapprover  terminationGracePeriodSeconds: 1  containers:  - name: signer  image: " "  command:  - /bin/bash  - -c  args:  - |  #!/bin/bash  set -o errexit  set -o nounset  set -o pipefail    unset KUBECONFIG  cat <<SCRIPT > /tmp/signer  #!/bin/bash  #  # It will approve any CSR that is not approved yet, and delete any CSR that expired more than 60 seconds  # ago.  #    set -o errexit  set -o nounset  set -o pipefail    name=\${1}  condition=\${2}  certificate=\${3}  username=\${4}    # auto approve  if [[ -z "\${condition}" && ("\${username}" == "system:serviceaccount:openshift-infra:node-bootstrapper" || "\${username}" == "system:node:"* || "\${username}" == "system:admin" ) ]]; then  oc adm certificate approve "\${name}"  exit 0  fi    # check certificate age  if [[ -n "\${certificate}" ]]; then  text="\$( echo "\${certificate}" | base64 -d - )"  if ! echo "\${text}" | openssl x509 -noout; then  echo "error: Unable to parse certificate" 2>&1  exit 1  fi  if ! echo "\${text}" | openssl x509 -checkend -60 > /dev/null; then  echo "Certificate is expired, deleting"  oc delete csr "\${name}"  fi  exit 0  fi  SCRIPT  chmod u+x /tmp/signer    exec oc observe csr --maximum-errors=1 --resync-period=10m -a '{.status.conditions[*].type}' -a '{.status.certificate}' -a '{.spec.username}' -- /tmp/signer --- apiVersion: image.openshift.io/v1 kind: ImageStreamTag metadata:  name: node:v3.11  namespace: openshift-infra tag:  reference: true  from:  kind: DockerImage  name: artifactorycn.ORG.com:17011/openshift/node:v3.11.0

Checks

Verify that bootstrap-autoapprover pod is up and running in openshift-infra namespace using web console or CLI: 

oc get pod -n openshift-infra | grep bootstrap-autoapprover