How to get Kubernetes CA Certificate

In this post, we will see 4 methods to fetch the Kubernetes CA Certificate. This may be needed by the services to validate their certs by the Kubernetes CA. I would prefer the one from the last two methods described here, however, it depends on your use case. Eg: You need it outside of the container or inside of the container.

Method-1: Manually login to the Master node(SSH access to the master node is needed, not preferred)

ls -lrt /etc/kubernetes/pki/
total 48
-rw------- 1 root root 1679 May 29 21:28 ca.key
-rw-r--r-- 1 root root 1099 May 29 21:28 ca.crt
-rw------- 1 root root 1679 May 29 21:28 apiserver.key
-rw-r--r-- 1 root root 1359 May 29 21:28 apiserver.crt
-rw------- 1 root root 1675 May 29 21:28 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1164 May 29 21:28 apiserver-kubelet-client.crt
-rw------- 1 root root 1675 May 29 21:28 front-proxy-ca.key
-rw-r--r-- 1 root root 1115 May 29 21:28 front-proxy-ca.crt
-rw------- 1 root root 1679 May 29 21:28 front-proxy-client.key
-rw-r--r-- 1 root root 1119 May 29 21:28 front-proxy-client.crt
-rw------- 1 root root  451 May 29 21:28 sa.pub
-rw------- 1 root root 1679 May 29 21:28 sa.key


cat  /etc/kubernetes/pki/ca.crt 
-----BEGIN CERTIFICATE-----
MIIC/jCCAeagAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIyMDUyOTIxMjgzNFoXDTMyMDUyNjIxMjgzNFowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL1D
9Tgx+ulGo0XNpSNlx+7I6+ErbjangxVDIqqfjQdPYEgKqSO5QRp+CDzx08lY9wrp
C2vsoznbjocMNF0vyPB0eT3iGhPke6489ogzBL9Ahxcd0b/VctSrcdINe37/G1la
aZwFoMPPf904O7EhXEEGC3OfhuhMn1eHUr33lqlfIczesQv6/1g9dGUiYRTNNt/2
+StdtYAINv1pRUKISdS4hasCyDawHxZ7KzCRUiGwAHskN1KxLc5xmZy9W5CNEb+5
t0hMatf6Dcipcqig4QHiQGihUd3Uo87uCh85mWagxRU0W753Xjn7O9Pnwlgqtg7k
64ptS1GxC8cWplkSZJUCAwEAAaNZMFcwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFNdzSiZZ1MoLgJV82eRlFkrElMXmMBUGA1UdEQQO
MAyCCmt1YmVybmV0ZXMwDQYJKoZasdcNAQELBQADggEBAGX8hAlJpfF2OTQxKprw
Y84r56929ePRJo9tWnz32ByyiNjt2P8tOwTlHPKvSbwu/U45YU9AiEkJJ+Gac6EI
PdQ036ZXDBfRuLYKPuSISFRxAz8f7/hi/yCTo1bZAu7Z011E5KOa1nGkWVGZnUhA
c1NqMzyiS4g6RjivkagMARo6B8QGIPjkfhjahlhyYEju69Ip+X60x3bh7mRE903R
hfCXb4uCO2F9Wk4goVw/dWX69VsKo1jm29c9Y6dtpeqlWqO9pNM8+ZD8i7df28hU
oe1i0qz0CFKS+qk/HkDl8FPSlL3QwC87jdL8L1G7E6wwiC2lF8v8Y/xwW8ijhd9t
qUQ=
-----END CERTIFICATE-----

Method-2: Fetch it from any running POD which has a service account mounted(if needed within the pod)

kubectl exec -it foo -- bash
[email protected]:/# cd /var/run/secrets/kubernetes.io/serviceaccount/


[email protected]:/#cat  /etc/kubernetes/pki/ca.crt 
-----BEGIN CERTIFICATE-----
MIIC/jCCAeagAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIyMDUyOTIxMjgzNFoXDTMyMDUyNjIxMjgzNFowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL1D
9Tgx+ulGo0XNpSNlx+7I6+ErbjangxVDIqqfjQdPYEgKqSO5QRp+CDzx08lY9wrp
C2vsoznbjocMNF0vyPB0eT3iGhPke6489ogzBL9Ahxcd0b/VctSrcdINe37/G1la
aZwFoMPPf904O7EhXEEGC3OfhuhMn1eHUr33lqlfIczesQv6/1g9dGUiYRTNNt/2
+StdtYAINv1pRUKISdS4hasCyDawHxZ7KzCRUiGwAHskN1KxLc5xmZy9W5CNEb+5
t0hMatf6Dcipcqig4QHiQGihUd3Uo87uCh85mWagxRU0W753Xjn7O9Pnwlgqtg7k
64ptS1GxC8cWplkSZJUCAwEAAaNZMFcwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFNdzSiZZ1MoLgJV82eRlFkrElMXmMBUGA1UdEQQO
MAyCCmt1YmVybmV0ZXMwDQYJKoZasdcNAQELBQADggEBAGX8hAlJpfF2OTQxKprw
Y84r56929ePRJo9tWnz32ByyiNjt2P8tOwTlHPKvSbwu/U45YU9AiEkJJ+Gac6EI
PdQ036ZXDBfRuLYKPuSISFRxAz8f7/hi/yCTo1bZAu7Z011E5KOa1nGkWVGZnUhA
c1NqMzyiS4g6RjivkagMARo6B8QGIPjkfhjahlhyYEju69Ip+X60x3bh7mRE903R
hfCXb4uCO2F9Wk4goVw/dWX69VsKo1jm29c9Y6dtpeqlWqO9pNM8+ZD8i7df28hU
oe1i0qz0CFKS+qk/HkDl8FPSlL3QwC87jdL8L1G7E6wwiC2lF8v8Y/xwW8ijhd9t
qUQ=
-----END CERTIFICATE-----

# OR you can directly fetch this.

kubectl exec -it foo -- cat  /etc/kubernetes/pki/ca.crt

Method-3: Using your own Kubeconfig file(using go-template, a caveat: Dump the CA certificate of 1st cluster if kubeconfig contains multiple clusters)

kubectl config view --raw -o go-template='{{index ((index (index .clusters 0) "cluster")) "certificate-authority-data"|base64decode}}'
-----BEGIN CERTIFICATE-----
MIIC/jCCAeagAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIyMDUyOTIxMjgzNFoXDTMyMDUyNjIxMjgzNFowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL1D
9Tgx+ulGo0XNpSNlx+7I6+ErbjangxVDIqqfjQdPYEgKqSO5QRp+CDzx08lY9wrp
C2vsoznbjocMNF0vyPB0eT3iGhPke6489ogzBL9Ahxcd0b/VctSrcdINe37/G1la
aZwFoMPPf904O7EhXEEGC3OfhuhMn1eHUr33lqlfIczesQv6/1g9dGUiYRTNNt/2
+StdtYAINv1pRUKISdS4hasCyDawHxZ7KzCRUiGwAHskN1KxLc5xmZy9W5CNEb+5
t0hMatf6Dcipcqig4QHiQGihUd3Uo87uCh85mWagxRU0W753Xjn7O9Pnwlgqtg7k
64ptS1GxC8cWplkSZJUCAwEAAaNZMFcwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFNdzSiZZ1MoLgJV82eRlFkrElMXmMBUGA1UdEQQO
MAyCCmt1YmVybmV0ZXMwDQYJKoZasdcNAQELBQADggEBAGX8hAlJpfF2OTQxKprw
Y84r56929ePRJo9tWnz32ByyiNjt2P8tOwTlHPKvSbwu/U45YU9AiEkJJ+Gac6EI
PdQ036ZXDBfRuLYKPuSISFRxAz8f7/hi/yCTo1bZAu7Z011E5KOa1nGkWVGZnUhA
c1NqMzyiS4g6RjivkagMARo6B8QGIPjkfhjahlhyYEju69Ip+X60x3bh7mRE903R
hfCXb4uCO2F9Wk4goVw/dWX69VsKo1jm29c9Y6dtpeqlWqO9pNM8+ZD8i7df28hU
oe1i0qz0CFKS+qk/HkDl8FPSlL3QwC87jdL8L1G7E6wwiC2lF8v8Y/xwW8ijhd9t
qUQ=
-----END CERTIFICATE-----

Method-4: Using your own kubeconfig(using jsonpath, the same caveat as above, replace [0] with [*] to get for all the clusters)

kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' |base64  -d
-----BEGIN CERTIFICATE-----
MIIC/jCCAeagAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIyMDUyOTIxMjgzNFoXDTMyMDUyNjIxMjgzNFowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL1D
9Tgx+ulGo0XNpSNlx+7I6+ErbjangxVDIqqfjQdPYEgKqSO5QRp+CDzx08lY9wrp
C2vsoznbjocMNF0vyPB0eT3iGhPke6489ogzBL9Ahxcd0b/VctSrcdINe37/G1la
aZwFoMPPf904O7EhXEEGC3OfhuhMn1eHUr33lqlfIczesQv6/1g9dGUiYRTNNt/2
+StdtYAINv1pRUKISdS4hasCyDawHxZ7KzCRUiGwAHskN1KxLc5xmZy9W5CNEb+5
t0hMatf6Dcipcqig4QHiQGihUd3Uo87uCh85mWagxRU0W753Xjn7O9Pnwlgqtg7k
64ptS1GxC8cWplkSZJUCAwEAAaNZMFcwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFNdzSiZZ1MoLgJV82eRlFkrElMXmMBUGA1UdEQQO
MAyCCmt1YmVybmV0ZXMwDQYJKoZasdcNAQELBQADggEBAGX8hAlJpfF2OTQxKprw
Y84r56929ePRJo9tWnz32ByyiNjt2P8tOwTlHPKvSbwu/U45YU9AiEkJJ+Gac6EI
PdQ036ZXDBfRuLYKPuSISFRxAz8f7/hi/yCTo1bZAu7Z011E5KOa1nGkWVGZnUhA
c1NqMzyiS4g6RjivkagMARo6B8QGIPjkfhjahlhyYEju69Ip+X60x3bh7mRE903R
hfCXb4uCO2F9Wk4goVw/dWX69VsKo1jm29c9Y6dtpeqlWqO9pNM8+ZD8i7df28hU
oe1i0qz0CFKS+qk/HkDl8FPSlL3QwC87jdL8L1G7E6wwiC2lF8v8Y/xwW8ijhd9t
qUQ=
-----END CERTIFICATE-----

Read more at the following link:

https://github.com/kubernetes/kubernetes/issues/61572

Leave a Comment

Your email address will not be published.

Scroll to Top