kubernetes - kubectl 尝试创建 CertificateSigningRequest 错误：来自服务器的错误（BadRequest）：创建“tcsr.yaml”时出错：CertificateSigningRequest

request你的线路肯定有问题。您的错误来自（很可能，我不确定！！，似乎）来自错误的编码数据复制粘贴数据。

你可以找到很多类似的例子，比如Kubernetes 不创建证书

复制了你的小例子，似乎一切正常。为了重现我使用了Create CertificateSigningRequest官方文档页面

小备注：官方文档中有一个v1 apiversion - 我无法CertificateSigningRequest用它创建，所以我不得不回到apiVersion: certificates.k8s.io/v1beta1一个。

我收到的错误apiVersion: certificates.k8s.io/v1 是

error: unable to recognize "sr.yaml": no matches for kind "CertificateSigningRequest" in version "certificates.k8s.io/v1"

所以，基本上，

$ openssl genrsa -out vit.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
............................................................................................................................+++++
........+++++
e is 65537 (0x010001)

$ openssl req -new -key vit.key -out vit.csr
...
$ cat vit.csr | base64 | tr -d "\n"                                                                                                              
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2lqQ0NBWElDQVFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeApJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNZmZFSitFTjZ3Wjd5emV4WjA4aUtQOWhUYWVzSjh1cWt3U1NsU1QKdXhVbDlyci85YnA2OTd3Ky9lQXRVTlF6ajlWNGQvUnhLSG0rMkVhWDllaGowN0NBZlJRRFEvV284dW1tLS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2lqQ0NBWElDQVFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeApJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNZmZFSitFTjZ3Wjd5emV4WjA4aUtQOWhUYWVzSjh1cWt3U1NsU1QKdXhVbDlyci85YnA2OTd3Ky9lQXRVTlF6ajlWNGQvUnhLSG0rMkVhWDllaGowN0NBZlJRRFEvV284dW1tUzRMZAo1UEtoNmVxMmdvMWJkNDRzQmpwaFk4encwK1UyQXdZMElPbitCcm9weWdGMVlCWWFkcHYzSnBXQVpqb2g2NFBuCmY0WThFNmptd0lnYlpTcXhlcTdDaUEwSDNHZDg1L0s4em5hWlFuYWZ2Q3E2Umc4SitsS2Z0RnN3QWdpL1BjSlgKWExYekRCdSs4OERacENJT0Rjek9MejZIYmhBMk1GK2tXN0RFTlJIZ29EenJZNHdNNGxGdVNpWGlPSVE2L01GVApuSmU5b1dNbFpNMjErNFpsQUN5RElZUnhwQmZQNlBBKzhoWEJJaGk4R09OK2ZiY0NBd0VBQWFBQU1BMEdDU3FHClNJYjNEUUVCQ3dVQUE0SUJBUUNlM1JyaEdoSWV4dWR5b2ljNjA0c0dGOTdNcExqV0Y0RVUwK0dOWGY5WWIzRHIKb2NsRG91OFVZQjhVTlpaTW1lc21xZUozdEVKQ3I2cE1mMWI4U09vOHhzYXdiR3NHZHlRdzJ5RWJvemdtWDR1bwphKy9aVjkyNUkwYVkwNGFGOW52QmVYSDBLbnh0RG9FdG8rOVVnVFoxLzV6ZVZOWGIrNnl0K1R6bVowOCtQbm4vCkhmUVMvdmtrVTdtNnRxNjQxbTJKUGlCK0Y4MnZyenM4NithS2gvYUk0ODJ2VXdjUzFrUnlLTEs0ZUVkOGNUUEQKWHdEVk9selhQcTVuMFh5ZUorcnlHY0dRYVpKb291TytVdUpXVnlCN0dYZnd5RENnUjhGZm8wZUtSQWZBQ1dIawplZ3h6UGN2ZEhtTTBjclM2VkU0SWNDVytycU5KUmxyQWhnY2JKM3daCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=

我手动复制粘贴的密钥并使用 VI 放入 yaml...

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: vit
spec:
  groups:
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2lqQ0NBWElDQVFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeApJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNZmZFSitFTjZ3Wjd5emV4WjA4aUtQOWhUYWVzSjh1cWt3U1NsU1QKdXhVbDlyci85YnA2OTd3Ky9lQXRVTlF6ajlWNGQvUnhLSG0rMkVhWDllaGowN0NBZlJRRFEvV284dW1tUzRMZAo1UEtoNmVxMmdvMWJkNDRzQmpwaFk4encwK1UyQXdZMElPbitCcm9weWdGMVlCWWFkcHYzSnBXQVpqb2g2NFBuCmY0WThFNmptd0lnYlpTcXhlcTdDaUEwSDNHZDg1L0s4em5hWlFuYWZ2Q3E2Umc4SitsS2Z0RnN3QWdpL1BjSlgKWExYekRCdSs4OERacENJT0Rjek9MejZIYmhBMk1GK2tXN0RFTlJIZ29EenJZNHdNNGxGdVNpWGlPSVE2L01GVApuSmU5b1dNbFpNMjErNFpsQUN5RElZUnhwQmZQNlBBKzhoWEJJaGk4R09OK2ZiY0NBd0VBQWFBQU1BMEdDU3FHClNJYjNEUUVCQ3dVQUE0SUJBUUNlM1JyaEdoSWV4dWR5b2ljNjA0c0dGOTdNcExqV0Y0RVUwK0dOWGY5WWIzRHIKb2NsRG91OFVZQjhVTlpaTW1lc21xZUozdEVKQ3I2cE1mMWI4U09vOHhzYXdiR3NHZHlRdzJ5RWJvemdtWDR1bwphKy9aVjkyNUkwYVkwNGFGOW52QmVYSDBLbnh0RG9FdG8rOVVnVFoxLzV6ZVZOWGIrNnl0K1R6bVowOCtQbm4vCkhmUVMvdmtrVTdtNnRxNjQxbTJKUGlCK0Y4MnZyenM4NithS2gvYUk0ODJ2VXdjUzFrUnlLTEs0ZUVkOGNUUEQKWHdEVk9selhQcTVuMFh5ZUorcnlHY0dRYVpKb291TytVdUpXVnlCN0dYZnd5RENnUjhGZm8wZUtSQWZBQ1dIawplZ3h6UGN2ZEhtTTBjclM2VkU0SWNDVytycU5KUmxyQWhnY2JKM3daCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  usages:
  - client auth

结果是：

$ kubectl apply -f sr.yaml
certificatesigningrequest.certificates.k8s.io/vit created

request 是 CSR 文件内容的 base64 编码值。您可以使用以下命令获取内容：cat john.csr | base64 | tr -d "\n"

您也可以使用request: $(cat server.csr | base64 | tr -d '\n')而不是复制粘贴纯文本..请阅读下面的信息..它很重要

csr 生成不按文档工作

类似的问题也一直困扰着我。经过一些故障排除后，观察到 base64 和 tr 解决方案在 MacOS 环境中无法正常工作。使用来自 GNU 的 gbase64 实用程序有一个不会换行的“-w”选项。一旦我安装了 gnu coreutils 并使用了 gbase64，脚本就会按预期工作。该问题与使用原始组合的“tr”和换行有关。希望它可以帮助未来遇到类似环境相关问题的用户。