Why can't I create a new admin certificate?
When you try to create a new admin certificate, you see an error message similar to the following example.
You have reached the maximum number of admin certificates. To create a new admin certificate, you must remove an existing one by revoking a user's IAM admin permissions and then removing their entry from the `ibm-admin-cert` ClusterRoleBinding.
You have reached the limit of 50 admin certificates per cluster.
You must remove an existing admin certificate before you can add a new one.
To complete the following tasks, you must have the Administrator IAM access role for the cluster.
-
Log in to the CLI.
-
Set the context for your cluster. Include the
--admin
option.ibmcloud oc cluster config --cluster mycluster --admin
-
Edit the
ibm-admin-cert
ClusterRoleBinding file. The following command opens an editor in your terminal window.oc edit clusterrolebinding ibm-admin-cert
-
In the
ibm-admin-cert
ClusterRoleBinding file, find the admin certificate to remove. If you logged in with a service ID, the name of the entry containsService-ID-XX
, withXX
as the service ID to remove. Otherwise, the name of the entry containsIBMid-XX
in the name, withXX
as the user ID to remove.The following entries show examples to remove.
- apiGroup: rbac.authorization.k8s.io kind: User name: iam-ServiceId-XXX-admin-<DATE>
- apiGroup: rbac.authorization.k8s.io kind: User name: IBMid-YYY-admin-<DATE>
-
Try again to create the admin certificate.