Get kubeconfig by ssh into cluster

Question

If I am able to SSH into the master or any nodes in the cluster, is it possible for me to get 1) the kubeconfig file or 2) all information necessary to compose my own kubeconfig file?

Answer 1

You could find configuration on master node under /etc/kubernetes/admin.conf (on v1.8+).

On some versions of kubernetes, this can be found under ~/.kube

Answer 2

I'd be interested in hearing the answer to this as well. But I think it depends on how the authentication is set up. For example,

• Minikube uses "client certificate" authentication. If it stores the client.key on the cluster as well, you might construct a kubeconfig file by combining it with the cluster’s CA public key.
• GKE (Google Kubernetes Engine) uses authentication on a frontend that's separate from the Kubernetes cluster (masters are hosted separately). You can't ssh into the master, but if it was possible, you still might not be able to construct a token that works against the API server.

However, by default Pods have a service account token that can be used to authenticate to Kubernetes API. So if you SSH into a node and run docker exec into a container managed by Kubernetes, you will see this:

/ # ls run/secrets/kubernetes.io/serviceaccount
ca.crt     namespace  token

You can combine ca.crt and token to construct a kubeconfig file that will authenticate to the Kubernetes master.

So the answer to your question is yes, if you SSH into a node, you can then jump into a Pod and collect information to compose your own kubeconfig file. (See this question on how to disable this. I think there are solutions to disable it by default as well by forcing RBAC and disabling ABAC, but I might be wrong.)