subject organization is not system:nodes 问题解决

在下面的 issues 找到了答案：

https://github.com/kubernetes/kubernetes/issues/99504

┌──[[email protected]]-[~]
└─$kubectl get csr
NAME                                               AGE   SIGNERNAME                      REQUESTOR          REQUESTEDDURATION   CONDITION
hello-webhook-service.k8s-hello-mutating-webhook   43s   kubernetes.io/kubelet-serving   kubernetes-admin   <none>              Approved,Failed

┌──[[email protected]]-[~]
└─$kubectl get csr hello-webhook-service.k8s-hello-mutating-webhook  -o yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  creationTimestamp: "2023-11-15T08:53:20Z"
  name: hello-webhook-service.k8s-hello-mutating-webhook
  resourceVersion: "17547246"
  uid: d38716c9-1c97-44d2-8f7c-0c9a4e1cfdd0
spec:
  groups:
  - system:masters
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJRG1qQ0NBb0lDQVFBd1B6RTlNRHNHQTFVRUF3dzBhR1ZzYkc4dGQyVmlhRzl2YXkxelpYSjJhV05sTG1zNApjeTFvWld4c2J5MXRkWFJoZEdsdVp5MTNaV0pvYjI5ckxuTjJZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBTXJ6VEM2akxPeDU2S1NCZTFpaUoyeEVuWGtvUTFOaVBLMi9oSlVJY3hzaXNINzcKZnRIcXFDOUx2NUtZL3hVdjJLR1dOaVlrZ3pDVzdMSHFnemVBQVozSVBVWndpYUhvazhkckcrUUlCR2t5SGtxbwpBK1UxTnphUHZiUnY3ZlZRKzhPZ0htWVB6L0RQeTFMaElXNjg3ZCt4cDlyMHozOSt0cDBoZFFlQnJva3NMRVZuCjgxZGRTZXozbjhqSUhDQXhISklFWktKOU1KQk9xRnVuRHoxQk53MHgyVGtSMmpOV0lCTmw5dFFud2oyaEJidGsKV1dLa09zVHUvYlZvdmRuODB5SWREa3kxbmtiSDlaeVZNTnFkYWNuclpkUWE2Q2o1OWJjRnhJcm9pTXQwYkxBdwpKUU8wenRIZ0tnWitxZ1NiMHROQy8xc2RkbTREQUtHV2lXWnNZZ01DQXdFQUFhQ0NBUlF3Z2dFUUJna3Foa2lHCjl3MEJDUTR4Z2dFQk1JSCtNQWtHQTFVZEV3UUNNQUF3Q3dZRFZSMFBCQVFEQWdYZ01CTUdBMVVkSlFRTU1Bb0cKQ0NzR0FRVUZCd01CTUlIT0JnTlZIUkVFZ2NZd2djT0NGV2hsYkd4dkxYZGxZbWh2YjJzdGMyVnlkbWxqWllJdwphR1ZzYkc4dGQyVmlhRzl2YXkxelpYSjJhV05sTG1zNGN5MW9aV3hzYnkxdGRYUmhkR2x1WnkxM1pXSm9iMjlyCmdqUm9aV3hzYnkxM1pXSm9iMjlyTFhObGNuWnBZMlV1YXpoekxXaGxiR3h2TFcxMWRHRjBhVzVuTFhkbFltaHYKYjJzdWMzWmpna0pvWld4c2J5MTNaV0pvYjI5ckxYTmxjblpwWTJVdWF6aHpMV2hsYkd4dkxXMTFkR0YwYVc1bgpMWGRsWW1odmIyc3VjM1pqTG1Oc2RYTjBaWEl1Ykc5allXd3dEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBTFJNCnJaaWFsNWxDRXJQZDZVVkc3TytORWEzTFJkVU1XdU9oUkFYTjdNZ2pPZHM3eFZ2d1NBZzhXeS9icUNSZWJhQTgKWkkzV1pvVkl3a21jbG1XazA3Y010R2IyOTJxNDAwZlNSd1dFKzV3SStrclRwOHFtYkZqR3cwRUwwMmpaaEFYagpqRC9KUDdTUmE2VVRhaU5GWEZzQ3l5SUJEYzJRWnVsbXFPMnNyN3JjTjZZSDVPRTBCWS91ODFKOXpUVVhxNERFCmZnQ3JCaXpibWFaR2h4NWx6b1J0ZEx4b1UybElXUGpBMzhwYll1NHNZY3RvRmlpaVRJTzM1SVkwb1NPeEVXSzgKc2N5YlVBbzdYWTljMDZlZlMvUWY1aEg1SjdTUGVRdWVkVXhKS3pLeTFZVEdENTVLV25INC8wM1VzQ3JTb0x6ZgpWSm1HTUVmSjROMzg5aEYreTBZPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K
  signerName: kubernetes.io/kubelet-serving
  usages:
  - server auth
  - digital signature
  - key encipherment
  username: kubernetes-admin
status:
  conditions:
  - lastTransitionTime: "2023-11-15T08:53:20Z"
    lastUpdateTime: "2023-11-15T08:53:20Z"
    message: This CSR was approved by kubectl certificate approve.
    reason: KubectlApprove
    status: "True"
    type: Approved
  - lastTransitionTime: "2023-11-15T08:53:20Z"
    lastUpdateTime: "2023-11-15T08:53:20Z"
    message: subject organization is not system:nodes
    reason: SignerValidationFailure
    status: "True"
    type: Failed

解决办法：

生成 csr 使用下面的写法

#openssl req -new -key "${tmpdir}/server-key.pem" -subj "/CN=${fullServiceDomain}" -out "${tmpdir}/server.csr" -config "${tmpdir}/csr.conf"
openssl req -new -key "${tmpdir}/server-key.pem" -subj "/CN=system:node:${fullServiceDomain};/O=system:nodes" -out "${tmpdir}/server.csr" -config "${tmpdir}/csr.conf"