Hello, After a new deployment, I downloaded the kubeconfig and upon trying to approve a Certificate Signing Request (CSR), the csr just sits in an approved state, but never becomes Issued. Is there a restriction or something on the default-kubernetes-<clustername> user that I might not be familiar with? That or maybe my process is wrong, its odd that it just sits in an Approved state. Any help is appreciated!
Best answer by vshuguet
Karbon Clusters (currently, working on it, depends on other parts of the platform too) doesn’t support certificate based authentication. We do support user-based token authentication as explained above (even with directory users, thanks to our integrated auth in Prism Central).
We also support ServiceAccounts if you need longer/persistant token over 24h (for example to integrate with your CI/CD pipeline). In fact we haven’t changed anything related to token based authentication, we just added a “hook” to also enable us to auth users via Prism Central. That way, the “browsing account” credentials (the account used to check on the Directory if the credentials supplied by the user are correct) aren’t anywhere on the Kubernetes clusters, and are instead centrally managed inside Prism Central.
We simply have not enabled Certificate Based authentication (or any kind of certificate issuance) in the Kubernetes clusters, until the platform is able to provide us with a secure source of certificates (as I said, working on it).