What is the URL of k8s api server JWKS?

Asking for help? Comment out what you need so we can get more information to help you!

Cluster information:

Kubernetes version: v1.18
Cloud being used: IBM Cloud
Installation method: cloud provisioning
Host OS: Ubuntu
CNI and version:
CRI and version:

I’m trying to find out the JWKS URL of the apiserver to find pub key to valid service account token in a deployed app. but when issuing a CURL command from a pod, I got:

$ curl -k -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default/openid/v1/jwks
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "forbidden: User \"system:serviceaccount:<removed>:default\" cannot get path \"/.well-known/openid-configuration\"",
  "reason": "Forbidden",
  "details": {
    
  },
  "code": 403
}

This is what I learned:
JWKS URL is only available from k8s v1.20+ where it provides service account issuer discovery as a beta feature. When using k8s v1.20, it can do:

$ kubectl get --raw /.well-known/openid-configuration

and:

$ kubectl get --raw /openid/v1/jwks

Notice that the above two endpoint requires service account token present in Authorization header like Bearer <sa-token>

Thanks for detailed replies from John who provided the above commands.