OpenShift Container Platform 4 CSRs were not approved automatically during over 100 nodes certificate renewal in UPI environment

Solution Verified - Updated -

Issue

  • In UPI environment, there are over 100+ nodes has been added to the cluster, the cluster nodes certificate renewal requests will be received at the same time.
  • Check whether the pending CSRs have been created over 100+ requests in oc get csr results during the nodes certificate renewal every month(CSRs may be approved once they have reached 80% +/-10% of their expiry period - Understanding the certificate rotation configuration), the machine-approver log will be printing the following errors if the CSRs cannot be approved automatically.
E1125 14:20:25.439889       1 main.go:161] Pending CSRs: 110; Max pending allowed: 100. Difference between pending CSRs and machines > 100. Ignoring all CSRs as too many recent pending CSRs seen

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content