CertificateSigningRequest (CSR) is the Kubernetes resource for requesting x509 certificates. Components like kubelet create CSRs to obtain certificates for apiserver access or TLS. This check reports unhealthy CSR state: long-standing Pending or Denied/Failed requests.
Warning
N/A
- CSRs in Pending state that have not been approved or denied
- CSRs in Denied or Failed state indicating rejection or issuance failure
- Pending CSR: Use
kubectl get csrto list; usekubectl certificate approve <name>orkubectl certificate deny <name>to act. For kubelet certificate requests when nodes join, approve as appropriate. - Denied/Failed CSR: Clean up or re-issue per cause; check cluster CA and signer configuration if needed.
- Control-plane certificate expiry: Expiry of etcd, kube-apiserver, and kubelet server certificates is not exposed via this API. Run
kubeadm cert check-expiry(or equivalent) on the relevant nodes to check and renew.