This is just a small program that can be used to create and approve a Client Signing Request in a Kubernetes cluster and then create a new kubeconfig based on that approved certificate.

The code is heavily based on this article with some modifications for new CSR API versions and things I needed for this example. Setting expirationSeconds will add that to the CSR. Kubernetes servers tend to have upper limits for how long they'll issue a certificate for (although these times vary wildly), and generally 600 is the lower bound for what you can set.

It connects to a cluster based on the current Kubernetes context for the running user.

There are five command line parameters :-

• --username - The username for the certificate. (MANDATORY)
• --group - The group for the certificate. Defaults to none. (OPTIONAL)
• --output-file - Filename for the output kubeconfig file. Default is [username].config (OPTIONAL)
• --expirationSeconds - Number of seconds for the certificate to be valid. If not specified this will take the server's default setting. (OPTIONAL)

• This won't work on EKS clusters because they don't issue certificates for Client authentication. This issue is undocumented but there's a discussion here
• This won't work with clusters earlier than 1.19 as we're using v1 of the CSR API which was issued then.