Back to all scenarios
Scenario #12
Cluster Management
K8s v1.20, kubeadm cluster

Stuck CSR Requests Blocking New Node Joins

New nodes couldn’t join due to a backlog of unapproved CSRs.

Find this helpful?
What Happened

A spike in expired certificate renewals caused hundreds of CSRs to queue, none of which were being auto-approved. New nodes waited indefinitely.

Diagnosis Steps
  • 1Ran kubectl get csr – saw >500 pending requests.
  • 2New nodes stuck at kubelet: “waiting for server signing”.
  • 3Approval controller was disabled due to misconfiguration.
Root Cause

Auto-approval for CSRs was turned off during a security patch, but not re-enabled.

Fix/Workaround
bash
CopyEdit
kubectl certificate approve <csr-name>
• Re-enabled the CSR approver controller.
Lessons Learned

CSR management is critical for kubelet-node communication.

How to Avoid
  • 1Monitor pending CSRs.
  • 2Don’t disable kube-controller-manager flags like --cluster-signing-cert-file.
Previous ScenarioNext Scenario