Kubernetes service accounts provide an identity for pods that need to interact with the Kubernetes API. Tokens associated with these accounts are typically JSON Web Tokens (JWTs), which are industry-standard tokens that convey claims and are signed for integrity. Verifying a Kubernetes service account token involves confirming its signature, validity, and claims, effectively ensuring trust and security when dealing with such tokens.

Understanding Kubernetes Service Account Tokens

What are Service Account Tokens?

In Kubernetes, a service account is used to provide an identity for processes that run in a pod. Each service account has an associated secret that holds the account's token, which is a JWT. This token can be used to authenticate with the Kubernetes API.

1. Format:
   • Tokens are JWTs, formatted as ``<header>``.``<payload>``.``<signature>``.
   • The header specifies the type of token and the signing algorithm.
   • The payload typically includes the issuer, the subject (the service account), and the audience (Kubernetes API server).
   • The signature is used to verify the token's integrity.
2. Location:
   • Tokens are automatically mounted in pods at /var/run/secrets/kubernetes.io/serviceaccount/token.

Components of a JWT

1. Header:
   • iss: Issuer of the token.
   • sub: Subject, usually in the form system:serviceaccount:``<namespace>``:``<serviceaccount>``.
   • aud: Audience, usually the API server URL.
   • exp: Expiration time.
   • Verifies the sender, using the issuer's private key and helps in preventing tampering.
   • Use the public key from the Kubernetes API server to verify the token's signature.
   • The public key is provided by the service account issuer, typically through an endpoint such as an OpenID Connect provider configuration (/.well-known/openid-configuration).
   • Issuer (iss): Verify it matches the expected issuer URI.
   • Audience (aud): Ensure it includes the intended audience, usually the API server.
   • Expiration (exp): Check if the token hasn't expired.
   • Fetch the OpenID Configuration to retrieve the public keys.
   • Parse the jwks_uri from configuration and fetch the JSON Web Key Sets (JWKS) used for signature verification.
   • Utilize libraries like jwt-go in Golang, PyJWT in Python, or jsonwebtoken in Node.js for JWT parsing and verification.