openshift11 csr 證書續簽管理

• 2020 年 4 月 7 日
• 筆記

Managing Certificate Signing Requests

Cluster administrators can review certificate signing requests (CSRs) and approve or deny them.

Reviewing Certificate Signing Requests

You can review the list of certificate signing requests (CSRs).

• Get the list of current CSRs: 獲取當前證書註冊請求列表 $ oc get csr
• View the details of a CSR to verify that it is valid: $ oc describe csr <csr_name> <csr_name> is the name of a CSR from the list of current CSRs.

Approving Certificate Signing Requests

You can manually approve certificate signing requests (CSRs) by using the oc certificate approve command.

• Approve a CSR: 續簽證書 $ oc adm certificate approve <csr_name> <csr_name> is the name of a CSR from the list of current CSRs.
• Approve all CSRs: $ oc get csr -o name | xargs oc adm certificate approve

Denying Certificate Signing Requests

You can manually deny certificate signing requests (CSRs) by using the oc certificate deny command.

• Deny a CSR: 拒絕證書 $ oc adm certificate deny <csr_name> <csr_name> is the name of a CSR from the list of current CSRs.

Configuring Automatic Approval of Certificate Signing Requests

開啟證書自動續簽–非常重要

You can configure automatic approval of node certificate signing requests (CSRs) by specifying adding the following parameter to your Ansible inventory file when installing your cluster:

openshift_master_bootstrap_auto_approve=true

Adding this parameter allows all CSRs generated by using the boostrap credential or from a previously authenticated node with the same host name to be approved without any administrator intervention.

參考鏈接：

https://docs.openshift.com/container-platform/3.11/install_config/redeploying_certificates.html