LinuxCommandLibrary

kubectl-certificate

Approve or deny certificate signing requests

TLDR

Approve a certificate signing request by name

$ kubectl certificate approve [csr_name]
copy

Deny a certificate signing request by name
$ kubectl certificate deny [csr_name]
copy

Approve a certificate signing request defined in a manifest file
$ kubectl certificate approve --filename [path/to/csr.yaml]
copy

Deny a certificate signing request defined in a manifest file
$ kubectl certificate deny --filename [path/to/csr.yaml]
copy

Force reapproval of a certificate signing request that was previously denied
$ kubectl certificate approve --force [csr_name]
copy

SYNOPSIS

kubectl-certificate <approve|deny> CSR_NAME [--certificate-duration=duration] [--certificate-signer=string] [--dry-run=server|client|none] [--field-manager=string] [standard kubectl flags]

PARAMETERS

--certificate-duration=duration
    Duration of issued certificate (default 1y0m0d).

--certificate-signer=string
    Signer name (e.g., kubernetes.io/kube-apiserver-client).

--dry-run=server|client|none
    Dry run without persisting changes.

--field-manager=string
    String identifying owner of resource changes.

--force
    Force approval/denial despite preconditions.

--grace-period=integer
    Period for graceful termination (deny only).

--output=json|yaml|name|...
    Output format.

--save-config
    Save current config for future updates.

--timeout=duration
    Timeout for request.

-v=level
    Log verbosity level.

DESCRIPTION

The kubectl-certificate command manages CertificateSigningRequests (CSRs) in Kubernetes clusters. It allows cluster administrators to approve or deny requests for signed X.509 certificates issued by the cluster's certificate authority (CA). This is crucial for securing authentication of users, nodes, and services.

CSRs are created when entities need client or server certificates. kubectl-certificate approve validates and signs the request, generating a long-lived certificate. kubectl-certificate deny rejects invalid or untrusted requests, preventing security risks.

Key features include customizable certificate durations and signers. It integrates with kubectl's standard output and logging options for scripting and monitoring. Use it to maintain secure certificate lifecycles without manual CA intervention.

Note: This appears to reference the kubectl certificate subcommand group, as no standalone kubectl-certificate binary exists in standard distributions.

CAVEATS

kubectl-certificate is not a standard standalone command; it refers to kubectl certificate subcommands. Requires cluster-admin privileges. Ensure CSR exists via kubectl get csr. Hyphenated form may indicate a custom kubectl plugin.

EXAMPLES

Approve CSR:
kubectl certificate approve myuser-csr

Deny CSR:
kubectl certificate deny myuser-csr --grace-period=0

PREREQUISITES

Kubernetes cluster with CSR controller enabled. Access to kube-apiserver CA signer.

HISTORY

Part of kubectl since Kubernetes v1.19 (beta CSR API in v1.13). Enhanced in v1.22+ with stable CertificateSigningRequest resources. Widely used in production for automated cert management alongside cert-manager.

SEE ALSO

kubectl(1), openssl(1), cfssl(1)

Copied to clipboard