如何验证Kubernetes服务帐户令牌(JWT)

时间:2018-06-12 09:13:14

标签: authentication kubernetes jwt

我创建了一个服务帐户,并创建了一个与此服务帐户关联的Pod 在Pod内部,我有服务帐户令牌:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15c2VydmljZS10b2tlbi1xY21jcSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJteXNlcnZpY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJlZmVkM2MwZi02ZTEwLTExZTgtYWEwOC0wMDUwNTY4NTdjYWYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpteXNlcnZpY2UifQ.Q6evTXCaZ99eBRsOrNnu-UlCJsYu4EKNijxEYyMe8Kq6G9e5likG08DwqMyUOP9uVT7kbOR6VOqIuJ4w0xShG6H2zcXhsF7dViFdo9LaYrs2830XjkiMRAxqJmkcvNseeqwBL1aS5SiNz_xf8RgIZaU1Oik69KVRWncno3dZHEyr2PrwDt4akSorCAC9nyhWKV-oL7FWtQjRKzfr3utbvGMLU6YKVN6cDR4C-GrvVUM1eI0o_-6kovz4VKJKfiOb0c7ttAM_9h4kNOaRxtmTVPTBzBEy6qJUgva0IUlpya8AChRyGncXc6qIJaVOkgUvZm7SpI77Czxz0TrkGezVhA/

我用jwt.io网站解码了JWT。

在它下面有一个我可以验证我的令牌但它要求公钥或证书的地方:
enter image description here

在Pod内部,我有群集证书(ca.crt):
enter image description here

我进入了它,但它说它无效。
ca.crt内容:

-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTE4MDYxMTA4MzkwM1oXDTI4MDYwODA4MzkwM1owFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANLb
SLZuYZhsLD4eazkGglgcusKD02MMO7hYw02OD5M9G4biC/ZFlWjdayLY9OTKwISW
kdyNHrOvW5+UMf1Kha+aJgRfaf96YpDadADsdA/pXKlxA23TzjCmCLgZiO4h+PNO
nxRTftM/o8hoUNhY6t71m2Pn5gE2+bdFuzBLM4rGIaDlFagn1iYnAys6faz4Q3Xn
n8xpp2Fl+kxf2JpCffgdfHd3M7DAHlFqdyBPa8i9byCPknSt/j8dR62Etxl1xOxl
QwtLXmRKOe134g1yxPMrIbh54JkOMuU0dyVV9WriUj04jskH+zIrQnGOztSvES2N
iLqwIM52IC6EwKAcbXUCAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAMfXDTlaoUFFloE/Ce8TwA32d6fD
tSUBX2xs5pMclacGAFtx505e+fpvkowR3qcJcjawov0bPdMyGNZyXyDWpCsvDVnH
850m+z91+mkqqom9vGmPk5MXoz7trzrKvkvl7CDaWyQlX8SV83c3ijyaeH8/crvC
Z3qeOkjekWnS/lKvQ9a+dFFou0ZsN3UGUpUtI12gwjvHYgTOwdpjX+CBp2TEnzd+
5NSkfv2QNom8cQmnEiSnI5JCxv3Vzi6z9uTGC7ok1EQAwwlYLBeyTpcz5PmCNvZ/
rw3eEneIyKxlSLafkNlEdhol2ZXZe+JS2zTzUVWlFbEtG/odGmn29BSN3nU=
-----END CERTIFICATE-----

在哪里可以找到与此服务帐户令牌相关联的公钥或证书? 在工人内部有一个位置/var/lib/kubelet/pki,但钥匙和证书与kubelet相关:
kubelet-client.crt kubelet-client.key kubelet.crt kubelet.key

参考:
CA Certificate and JWT tokens on kubernetes

1 个答案:

答案 0 :(得分:0)

不是kubelet而是kube-controller-manager,它发出服务帐户令牌。您可以在主节点文件系统中找到密钥。具体来说,您可以在apiserver配置中找到参数--service-account-signing-key-file(私钥)和--service-account-key-file(公钥)的值中的路径。

请在此处查看有关这些值的文档:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/