This message was deleted.

I think

/var/lib/rancher/k3s/server/tls

Thx Austin - do you know where I can find the sa.pub? Doesn't look like the ServiceAccount certs are stored there

I’m not sure, but looking at this hardening guide I see options like this pointing to the same directory

--service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key            # 1.2.28
    --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key

interesting - yes... that looks like the private key?

I’ve never come across ServiceAccounts public keys in my work, it’s always just tokens. So I am probably unable to give you much more direction

thanks Austin - I was able to derive the public key from the private key... definitely got me closer than I was before 🙂

I believe you can also pull the signing cert from the apiservers embedded public oidc discovery endpoint?

I think you’re right BrandonD - but have to convert the JWKS to get the public key I think… anybody know of any good CLI based JWKS => RSA Public Key tools?

There's a web based tool out there somewhere for troubleshooting oidc that will decode the tokens for you

Need to automate harvesting of the

serviceaccount

public key but the web based JWKS decoder is throwing me for a loop

do you need it in a form other than what you can get from the apiserver with

kubectl get --raw /openid/v1/jwks

? There is also

/.well-known/openid-configuration

I need it in pem

there’s a web-based tool to do that at https://8gwifi.org/jwkconvertfunctions.jsp and a python example at https://github.com/jpf/okta-jwks-to-pem

Thank you BrandonD