K
Q

How to verify Kubernetes service account token (JWT)

6/12/2018

I created a service account and created a Pod associated to this service account.
Inside the Pod I have the service account token:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15c2VydmljZS10b2tlbi1xY21jcSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJteXNlcnZpY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJlZmVkM2MwZi02ZTEwLTExZTgtYWEwOC0wMDUwNTY4NTdjYWYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpteXNlcnZpY2UifQ.Q6evTXCaZ99eBRsOrNnu-UlCJsYu4EKNijxEYyMe8Kq6G9e5likG08DwqMyUOP9uVT7kbOR6VOqIuJ4w0xShG6H2zcXhsF7dViFdo9LaYrs2830XjkiMRAxqJmkcvNseeqwBL1aS5SiNz_xf8RgIZaU1Oik69KVRWncno3dZHEyr2PrwDt4akSorCAC9nyhWKV-oL7FWtQjRKzfr3utbvGMLU6YKVN6cDR4C-GrvVUM1eI0o_-6kovz4VKJKfiOb0c7ttAM_9h4kNOaRxtmTVPTBzBEy6qJUgva0IUlpya8AChRyGncXc6qIJaVOkgUvZm7SpI77Czxz0TrkGezVhA/

I decoded the JWT with jwt.io website.

Down below it has a place that I can verify my token but it asks for Public Key or certificate:
enter image description here

Inside the Pod I have the cluster certificate (ca.crt):
enter image description here

I entered it but it said that it not valid.
ca.crt content:

-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTE4MDYxMTA4MzkwM1oXDTI4MDYwODA4MzkwM1owFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANLb
SLZuYZhsLD4eazkGglgcusKD02MMO7hYw02OD5M9G4biC/ZFlWjdayLY9OTKwISW
kdyNHrOvW5+UMf1Kha+aJgRfaf96YpDadADsdA/pXKlxA23TzjCmCLgZiO4h+PNO
nxRTftM/o8hoUNhY6t71m2Pn5gE2+bdFuzBLM4rGIaDlFagn1iYnAys6faz4Q3Xn
n8xpp2Fl+kxf2JpCffgdfHd3M7DAHlFqdyBPa8i9byCPknSt/j8dR62Etxl1xOxl
QwtLXmRKOe134g1yxPMrIbh54JkOMuU0dyVV9WriUj04jskH+zIrQnGOztSvES2N
iLqwIM52IC6EwKAcbXUCAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAMfXDTlaoUFFloE/Ce8TwA32d6fD
tSUBX2xs5pMclacGAFtx505e+fpvkowR3qcJcjawov0bPdMyGNZyXyDWpCsvDVnH
850m+z91+mkqqom9vGmPk5MXoz7trzrKvkvl7CDaWyQlX8SV83c3ijyaeH8/crvC
Z3qeOkjekWnS/lKvQ9a+dFFou0ZsN3UGUpUtI12gwjvHYgTOwdpjX+CBp2TEnzd+
5NSkfv2QNom8cQmnEiSnI5JCxv3Vzi6z9uTGC7ok1EQAwwlYLBeyTpcz5PmCNvZ/
rw3eEneIyKxlSLafkNlEdhol2ZXZe+JS2zTzUVWlFbEtG/odGmn29BSN3nU=
-----END CERTIFICATE-----

Where can I find associated public key or certificate to this service account token?
Inside the worker there is a location /var/lib/kubelet/pki but the keys and certificates are related to the kubelet:
kubelet-client.crt kubelet-client.key kubelet.crt kubelet.key

Reference:
CA Certificate and JWT tokens on kubernetes

-- E235
authentication
jwt
kubernetes

Similar Questions

Will storageClass kubernetes.io/no-provisioner work for multi-node cluster?
Pull images from gcr when tag name of the image is constantly changing
Whitelist "kube-system" namespace using NetworkPolicy
GKE Container Registry Quota Exceeded
Cannot create ACI for new AKS cluster connected to existing on-prem Vnet
How to add condition to test http request using httptest in golang
ConfigMaps Not Found while Deploying an Application to Kubernetes Cluster

1 Answer

6/12/2018

It is not kubelet but kube-controller-manager which emits the service account tokens. You can find the key in the master node filesystem. Specifically, you can find the path in the value for the parameter --service-account-signing-key-file (private key) and --service-account-key-file (public key) in the apiserver configuration.

See the docs for these values here: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/

-- Ignacio Millán
Source: StackOverflow