Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
h
high-fall-28740
07/05/2022, 11:55 PMHello - Is there a K3s equivalent for a path location where certs are stored? E.g. /etc/kubernetes/pki/ ?
✅ 1
h
hundreds-state-15112
07/05/2022, 11:56 PMI think
/var/lib/rancher/k3s/server/tls🤘 1
Yup looks like it
h
high-fall-28740
07/06/2022, 12:00 AMThx Austin - do you know where I can find the sa.pub? Doesn't look like the ServiceAccount certs are stored there
h
hundreds-state-15112
07/06/2022, 12:04 AMI’m not sure, but looking at this hardening guide I see options like this pointing to the same directory
--service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key # 1.2.28
--service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.keyOtherwise
/var/lib/rancher/k3s/server/cred/h
high-fall-28740
07/06/2022, 12:07 AMinteresting - yes... that looks like the private key?
h
hundreds-state-15112
07/06/2022, 12:09 AMI’ve never come across ServiceAccounts public keys in my work, it’s always just tokens. So I am probably unable to give you much more direction
h
high-fall-28740
07/06/2022, 12:10 AMthanks Austin - I was able to derive the public key from the private key... definitely got me closer than I was before 🙂
🎉 1
i'll try using that derived public key to see if it works
c
creamy-pencil-82913
07/06/2022, 4:35 AMI believe you can also pull the signing cert from the apiservers embedded public oidc discovery endpoint?
It's been a while since I looked at it though
h
high-fall-28740
07/06/2022, 5:04 AMI think you’re right BrandonD - but have to convert the JWKS to get the public key I think… anybody know of any good CLI based JWKS => RSA Public Key tools?
c
creamy-pencil-82913
07/06/2022, 8:12 AMThere's a web based tool out there somewhere for troubleshooting oidc that will decode the tokens for you
What are you trying to accomplish?
h
high-fall-28740
07/06/2022, 3:44 PMNeed to automate harvesting of the
serviceaccountc
creamy-pencil-82913
07/06/2022, 5:19 PMdo you need it in a form other than what you can get from the apiserver with
kubectl get --raw /openid/v1/jwks/.well-known/openid-configurationas per the docs, the normal flow is
The JWKS response contains public keys that a relying party can use to validate the Kubernetes service account tokens. Relying parties first query for the OpenID Provider Configuration, and use thefield in the response to find the JWKS.jwks_uri
👍 1
h
high-fall-28740
07/06/2022, 5:48 PMI need it in pem
c
creamy-pencil-82913
07/06/2022, 6:06 PMthere’s a web-based tool to do that at https://8gwifi.org/jwkconvertfunctions.jsp and a python example at https://github.com/jpf/okta-jwks-to-pem
🤘 1
you can probably find other examples in your language of choice
h
high-fall-28740
07/06/2022, 8:24 PMThank you BrandonD