User without CSR read permission can not view the Node page in Openshift console

Solution Verified - Updated 2025-04-10T18:12:06+00:00 -

Issue

When attempting to view nodes in OpenShift web console, met with the follwoing error:

 certificatesigningrequests.certificates.k8s.io is forbidden: User "xxxx" cannot list resource "certificatesigningrequests" in API group "certificates.k8s.io" at the cluster scope

If you have permission to view nodes but not Certificate Signing Requests (CSR), you cannot access the Nodes list page.
If a user has get and list access to the nodes resource they are able to see the nodes in the web console and CLI. Post upgrading to 4.16, the user can still see the nodes from the CLI but fails in the web console.

Environment

Red Hat OpenShift Container Platform
- 4.16, 4.17

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content

Quick Links

Help

Site Info

Related Sites

Copyright © 2025 Red Hat

Here are the common uses of Markdown.

Code blocks

~~~
Code surrounded in tildes is easier to read
~~~

Links/URLs

[Red Hat Customer Portal](https://access.redhat.com)