Skip to content
Latchkey

kubectl certificate: Usage, Options & CI Errors

Approve or deny pending certificate signing requests.

kubectl certificate approve/deny acts on CertificateSigningRequests (CSRs) - the requests nodes and clients make for signed certs. It appears in node-bootstrap automation and custom PKI flows.

What it does

kubectl certificate approve NAME marks a pending CSR approved so the signer issues a certificate; deny rejects it. You typically list candidates with kubectl get csr first, then approve the matching ones. In managed clusters a controller auto-approves node CSRs; manual approval is for custom or kubelet-serving certs.

Common usage

Terminal
kubectl get csr
kubectl certificate approve csr-abc123
kubectl get csr -o name | xargs kubectl certificate approve   # bulk
kubectl certificate deny csr-suspicious

Common errors in CI

"Error from server (NotFound): certificatesigningrequests.certificates.k8s.io \"X\" not found" usually means the CSR expired and was garbage-collected (CSRs are short-lived) before your automation approved it. Approve promptly or recreate. Approving an already-approved CSR is a no-op but reads as success; denying an approved one will not un-issue the cert. Bulk-approving every pending CSR with xargs is a security risk in untrusted clusters. Only auto-approve CSRs you can attribute to known requesters.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →