kubernetes API server - different ways to extract its certificate

Using kubectl

kubectl get configmap -n kube-system extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}' | base64 --decode

Getting it from the kubeconfig.

cat ~/.kube/config

clusters:

- cluster:

certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FUR...

server: https://your-kubernetes-api-server:6443

name: your-cluster

Then base64 decode it :-

echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FUR..." | base64 --decode > ca.crt

Using openssl command line

openssl s_client -connect your-kubernetes-api-server:6443 < /dev/null | openssl x509 -outform PEM > api-server.crr

openssl x509 -in api-server.crt -text -noout

mitzen