This message was deleted.
# generala
adamant-kite-43734
06/18/2024, 5:40 PMThis message was deleted.
c
creamy-pencil-82913
06/18/2024, 5:48 PMNot like that, no. You can generate additional user cert+key pairs if you have access to the cluster CA cert+key, but agents don’t have that - and SHOULD NOT have that data. Anyone who has access to the cluster CA keys essentially has full admin access to your cluster.
r
red-spoon-67295
06/18/2024, 5:52 PMIs there a way agent can get the kubeconfig to access kubectl commands without manually copying it from the cluster?
c
creamy-pencil-82913
06/18/2024, 6:22 PMIf you could do that, you’d have a pretty handy way to attack exposed clusters, wouldn’t you?
creamy-pencil-82913
06/18/2024, 6:22 PMyou’re asking “how do I get admin credentials without having access to admin credentials”
r
red-spoon-67295
06/18/2024, 7:19 PMI mean if there is any way of creating a service account with appropriate permissions and generating a kubeconfig file for that service account. Or if we have same certs and we generate kubeconfig with that cert.
c
creamy-pencil-82913
06/18/2024, 7:20 PMYou could use the built-in CertificateSigningRequest process to get the cluster to issue a cert for you… but you’d still need admin access to begin with in order to do that.
https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
creamy-pencil-82913
06/18/2024, 7:21 PMAgents don’t have admin credentials to the cluster. That is by design. What specifically are you trying to do that requires admin creds on an agent node?
2 Views