Understand the "get certificate" step in the diagram

[tz-torchai]

Describe the question

Thanks so much for this wonderful and convenient tool.

I understand all other steps in the diagram but step 12 and step 13. What will kube-apiserver do after receiving the request with token? Could anyone explain to me about that? Thanks in advance!

[int128]

When Kubernetes API server received an ID token (JWT) from kubectl, it verifies the signature of token against the issuer certificate.

See the doc for details.

5. The API server will make sure the JWT signature is valid by checking against the certificate named in the configuration https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens

If you are interesting in OpenID Connect, see also this doc.

The Client MUST validate the signature of all other ID Tokens according to JWS [JWS] using the algorithm specified in the JWT alg Header Parameter. The Client MUST use the keys provided by the Issuer. https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation