New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verifying a Kubernetes serviceaccount token with step #67
Comments
|
Thank you, @olix0r. I believe |
@olix0r right now we don't have a way to extract the public key from a certificate, but it's actually pretty simple to add, we will add it. After my tests, I checked that that key is not the one that has to be used to verify the token. But you can find it in the kube-apiserver
And then:
|
The We punted on documenting this for the moment because it's really hard to explain when it's safe to skip these checks and when it's not. You have to go pretty deep on the semantics of JWT and JWS and various sorts of attacks in a particular context. The thinking is that you should only be skipping this stuff if you already know what you're doing. Unfortunately, k8s kinda screws with this product decision by making it a fairly common occurrence :/. FWIW the TokenSigning API is supposed to fix this stuff. |
Thanks for the quick explanations! |
One more question. It's entirely possible this is pebkac or... a kubernetes issue? For some reason, I'm still unable to use step to validate the token: Setup, as before, but using new version
Invalid signature
I observe this on both Linux (with minik8s) and Mac (with docker-desktop). Am I doing something obviously wrong? Perhaps this |
Ah, now I understand @maraino's earlier comments after reading more about the Kubernetes configuration -- the key used to verify serviceaccount token is part of kube-api-server/kube-controller-manager's configuration; and, by default, the apiserver's private key is used. This has nothing to do with the |
I'm trying to use
step
to verify a Kubernetes ServiceAccount token.Provision a Service Account
Obtain the credentials
Inspect the credentials
Problem: How to verify credentials?
I can't figure out how to use the step CLI to validate that the given jwt was signed such that it can be trusted via the ca.crt...
(The
--subtle
flag isn't documented in--help
output, so I don't know what I'm exactly specifying here)Any suggestions?
Thanks.
The text was updated successfully, but these errors were encountered: