kubectl-certificate
Manage certificate signing requests in Kubernetes
TLDR
Approve a certificate signing request
$ kubectl certificate approve [csr-name]
Deny a certificate signing request$ kubectl certificate deny [csr-name]
Approve all pending certificate signing requests$ kubectl get csr -o name | xargs kubectl certificate approve
Approve a CSR with a specific reason$ kubectl certificate deny [csr-name] --reason="[Expired certificate]"
List certificate signing requests$ kubectl get csr
SYNOPSIS
kubectl certificate subcommand [options]
DESCRIPTION
kubectl certificate manages certificate signing requests (CSRs) in Kubernetes. Used to approve or deny CSRs for kubelet client certificates and other TLS certificates. Part of the cluster's PKI management. When a new node joins a cluster, it generates a CSR that must be approved before the node can communicate with the API server.
PARAMETERS
approve name
Approve a certificate signing request.deny name
Deny a certificate signing request.--reason string
Reason for approving or denying the CSR, stored in the status condition.--force
Update the CSR even if it is already approved or denied.--allow-missing-template-keys
If true, ignore errors in templates when a field or map key is missing. Default true.-o, --output format
Output format. One of: json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file.
SEE ALSO
kubectl(1), kubectl-get(1), kubectl-auth(1), kubectl-config(1)
