Search code examples
kuberneteskubectlcertificate-signing-request

kubectl : unable to recognize "csr.yaml": no matches for kind "CertificateSigningRequest" in version "certificates.k8s.io/v1"

i have this template i try to invoke: looking at the docs example here

--- 
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata: 
  name: vault-csr
spec: 
  groups: 
    - system: authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJRklEQ0NBd2dDQVFBd0lERWVNQndHQTFVRUF3d1ZkbUYxYkhRdWRtRjFiSFF0Y0dWeWMyOHVjM1pqTUlJQwpJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBdFJubkFQR2R4bG1xdjhMOW1Gc29YOXJuCk9JcTVGTnJMZmRDelZCVEVnUEV6TDgzSWFsT1cya2lrNWFRM282d2NSTmx1S3NzeUl1c0ZUSTFqR2djWjN0eXkKSDFqMlROMmNHMHp4MGVaYTJqK3JMVkkwSmVTdXFHNkdmY01rRzRudUhZSGJraDZUYmgyalc5S0RTUTVRekNzdwo0Rlg4bDZXVEVILzdSemgwNCt0RkdFamxVVktkakJYcnVqMnhBc0NqemJ2Sy9GaEhLRjJwRVpza1pSNWtCbC80Cm1KL2xHUTRUTysyVW5CbmsvalJJd3g5a0ZGWDhucEhGWxxxLS0K
  signerName: kubernetes.io/kubelet-serving
  usages:
  - digital signature
  - key encipherment
  - server auth

the version of kubectl:

$ kubectl version --short
Client Version: v1.20.0
Server Version: v1.18.9-eks-d1db3c

And im working with AWS EKS i keep getting :

$ kubectl create -f csr.yaml
error: unable to recognize "csr.yaml": no matches for kind "CertificateSigningRequest" in version "certificates.k8s.io/v1"

UPDATE after changing to apiVersion: certificates.k8s.io/v1beta1

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata: 
  name: vault-csr
spec: 
  groups: 
    - system: authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSB.....
  usages:
  - digital signature
  - key encipherment
  - server auth

Im getting now this error:

$ kubectl create -f csr.yaml
error: error validating "tmp/csr.yaml": error validating data: ValidationError(CertificateSigningRequest.spec.groups[0]): invalid type for io.k8s.api.certificates.v1beta1.CertificateSigningRequestSpec.groups: got "map", expected "string"; if you choose to ignore these errors, turn validation off with --validate=false
Solution

  • As per the K8s change doc, the CertificateSigningRequest API is promoted to certificates.k8s.io/v1 only as part of the K8s 1.19 release.

    It was under certificates.k8s.io/v1beta1 before that.

    I suspect that to be a problem as your server version is v1.18.

    So, try changing your apiVersion as below:

    apiVersion: certificates.k8s.io/v1beta1