K
Q

Kubernetes Service Account Signing Key

4/16/2020

I am looking for private key being used to sign service account tokens in my cluster. Is there a way I can find path to this key or print it somehow?

Documentation says what flag is used to provide the key during startup but there is no info about current key in use.

-- Prashant Singh Rathore
eks
kubernetes
oauth-2.0
openid-connect

Similar Questions

whenever we are trying to call spark code with kerberos authentication we are getting error message as root user is not valid?
Updating pod definition to define readiness probe on existing kubernetes deployment
Envoy sidecar proxy
Unable to curl to external IP

1 Answer

4/16/2020

You can check the path passed to –service-account-private-key-file parameter to the kube controller manager component. This is the key used by token controller to sign the service accounts.

–service-account-private-key-file string
Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.

In a cluster installed by kubeadm I could check the path by describing the pod kube-controller-manager-kind-control-plane(the pod name could be different in different cluster) in kube-system namespace

kubectl describe pod kube-controller-manager-kind-control-plane -n kube-system
Name:                 kube-controller-manager-kind-control-plane
Namespace:            kube-system
Priority:             2000000000
Priority Class Name:  system-cluster-critical
Node:                 kind-control-plane/172.17.0.2
Start Time:           Tue, 14 Apr 2020 14:13:18 +0530
Labels:               component=kube-controller-manager
                      tier=control-plane
Annotations:          kubernetes.io/config.hash: 15e79e27a50d92dc481a5aaaad4399d8
                      kubernetes.io/config.mirror: 15e79e27a50d92dc481a5aaaad4399d8
                      kubernetes.io/config.seen: 2020-04-14T08:43:15.2951468Z
                      kubernetes.io/config.source: file
Status:               Running
IP:                   172.17.0.2
IPs:
  IP:           172.17.0.2
Controlled By:  Node/kind-control-plane
Containers:
  kube-controller-manager:
    Container ID:  containerd://6423f4d70cf0af2be708315b1aa5d4cb038d73b00b63f3d759db60e75f1ebf56
    Image:         k8s.gcr.io/kube-controller-manager:v1.17.0
    Image ID:      sha256:7818d75a7d002a3c1bb6e9d8fe4416e75ee7df87b57585ab4f8ef01ccba1ddaa
    Port:          <none>
    Host Port:     <none>
    Command:
      kube-controller-manager
      --allocate-node-cidrs=true
      --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf
      --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf
      --bind-address=127.0.0.1
      --client-ca-file=/etc/kubernetes/pki/ca.crt
      --cluster-cidr=10.244.0.0/16
      --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
      --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
      --controllers=*,bootstrapsigner,tokencleaner
      --enable-hostpath-provisioner=true
      --kubeconfig=/etc/kubernetes/controller-manager.conf
      --leader-elect=true
      --node-cidr-mask-size=24
      --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
      --root-ca-file=/etc/kubernetes/pki/ca.crt
      --service-account-private-key-file=/etc/kubernetes/pki/sa.key
      --service-cluster-ip-range=10.96.0.0/12
      --use-service-account-credentials=true

As it can be seen above in a cluster installed by kubeadm the key file is located in master nodes at /etc/kubernetes/pki/sa.key location

Since you are on EKS managed cluster you will not have access to master nodes.

-- Arghya Sadhu
Source: StackOverflow