Problem with kubelet csr on new karpenter node - never approved and issued - kubectl logs and exec not working

[Piercuta]

Hello everyone,

Since three weeks, i have the same problem...

The ec2 node created by karpenter works well and the pods are running on it but the certificate is never approved and issued.

I did the aws-auth config map, and have the sames roles as karpenter like the tuto 'Getting Started with Karpenter', but it's still not working...

I build everything with aws cdk.

kubectl describe csr csr-7r9nm
Name: csr-7r9nm
Labels:
Annotations:
CreationTimestamp: Sun, 06 Jul 2025 16:17:28 +0200
Requesting User: arn:aws:sts::532673134317:assumed-role/piercuta-dev-karpenter-node-role/i-0ca59c4195c0bc4a5
Signer: kubernetes.io/kubelet-serving
Status: Pending
Subject:
Common Name: system:node:ip-10-0-7-113.eu-west-1.compute.internal
Serial Number:
Organization: system:nodes
Subject Alternative Names:
DNS Names: ip-10-0-7-113.eu-west-1.compute.internal
IP Addresses: 10.0.7.113
Events:

my aws-auth config map

apiVersion: v1
data:
mapRoles: |
- rolearn: arn:aws:iam::532673134317:role/piercuta-dev-karpenter-node-role
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
- rolearn: arn:aws:iam::532673134317:role/piercuta-dev-eks-node-role
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
kind: ConfigMap
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"mapRoles":"- rolearn: arn:aws:iam::532673134317:role/piercuta-dev-karpenter-node-role\n username: system:node:{{EC2PrivateDNSName}}\n groups:\n - system:bootstrappers\n - system:nodes\n- rolearn: arn:aws:iam::532673134317:role/piercuta-dev-eks-node-role\n username: system:node:{{EC2PrivateDNSName}}\n groups:\n - system:bootstrappers\n - system:nodes\n"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"aws-auth","namespace":"kube-system"}}
creationTimestamp: "2025-07-06T11:13:29Z"
name: aws-auth
namespace: kube-system
resourceVersion: "5298"
uid: 7d17faf6-7de4-433e-b887-07649c0048d9

Please help, this is the only thing not working and I cannot do "kubectl logs" cmd because this problem.

Thks everyone.

[Piercuta]

Problem:
My Karpenter nodes were stuck with pending CSRs (Certificate Signing Requests), and the kubelet logs showed TLS handshake errors like:
http: TLS handshake error ... no serving certificate available for the kubelet

When checking the CSRs, the requests were not coming from system:node: but from the STS-assumed role ARN:

arn:aws:sts:::assumed-role//

Root Cause:
I mistakenly added the same IAM role used by Karpenter nodes both:

In the EKS Access Entries (via aws eks access-entry)

And in the legacy aws-auth ConfigMap.

This caused the kubelet to authenticate via STS rather than the expected node identity (system:node:), preventing automatic CSR approval.

SOLUTION:
I removed the EKS Access Entry for the Karpenter node role and kept only the ConfigMap aws-auth entry.

After that, nodes authenticated correctly as system:node:, and CSRs were automatically approved and issued as expected:

Approved,Issued