Please note before using client certificate authentication:
You can not revoke a client certificate, ones a client certificate is is compromised you can only restrict access using RBAC. Reistricting access using RBAC might not a solution. For example: you can add
system:cluster-adminsgroup to your client certificate. I don't know if your cluster survive if you remove all priviliges from this system group.
After the certificate signing request is approved and deleted after a while. You don't know what client certificates are signed out there.
Signed client certificate is valid for 365 days by default.
Create a certificate signing request¶
Since OpenSSLK 3.0 use
-noenc instead of
Create CSR object
Last update: December 28, 2021