search

dyrnq / kubeadm-vagrant

Run kubernetes cluster with kubeadm on vagrant.
1 stars 5 forks source link

Denying kubelet-serving CSR. DNS checks failed. Reason:The SAN DNS Name could not be resolved, denying the CSR #47

Closed dyrnq closed 2 years ago

dyrnq commented 2 years ago 
Denying kubelet-serving CSR. DNS checks failed. Reason:The SAN DNS Name could not be resolved, denying the CSR  {"controller": "certificatesigningrequest", "controllerGroup": "certificates.k8s.io", "controllerKind": "CertificateSigningRequest", "certificateSigningRequest": {"name":"csr-hd9cd"}, "namespace": "", "name": "csr-hd9cd", "reconcileID": "a7bcc55b-cd36-4a44-b404-3c6b24003975"}
dyrnq commented 2 years ago 
Denying kubelet-serving CSR. DNS checks failed. Reason:The SAN DNS name in the x509 CR is not allowed by the Cloud provider regex   {"controller": "certificatesigningrequest", "controllerGroup": "certificates.k8s.io", "controllerKind": "CertificateSigningRequest", "certificateSigningRequest": {"name":"csr-knzdc"}, "namespace": "", "name": "csr-knzdc", "reconcileID": "0aa5f5a4-2af4-4ca4-9cb3-be4ccbd8a77b"}
dyrnq commented 2 years ago

set BYPASS_DNS_RESOLUTION=true when use postfinance/kubelet-csr-approver:v0.2.3

            - name: BYPASS_DNS_RESOLUTION
              value: "true"

yaml file sample https://github.com/dyrnq/dist/blob/main/kubelet-csr-approver/0.2.3/10-deployments.yaml#L134

EmyLIEUTAUD commented 1 year ago

https://github.com/dyrnq/kubeadm-vagrant/issues/47#issue-1338572449

Hi !

I would like to know if there is a solution to solve this problem without using the bypassDnsResolution argument. This is my entire error : certificate request was not signed: cannot watch on the certificate signing request: certificate signing request is denied, reason: kubelet-serving cert denied, message: CSR not complying with kubelet-csr-approver validation process. Reason: The SAN DNS Name could not be resolved, denying the CSR

Thanks in advance !