KubeConfig
Concept & Usage of kubeconfig
The kubeconfig file is a configuration file used to configure access to Kubernetes clusters. It is used to specify the cluster, user, and context information required to connect to a Kubernetes cluster.
kubectl get pods \
--server=https://<cluster-ip>:<port> \
--client-certificate=<path-to-client-certificate> \
--client-key=<path-to-client-key> \
--certificate-authority=<path-to-ca-certificate> \Let me give you a scenario. When you do not have a kubeconfig file, you can still access the Kubernetes cluster using the kubectl command, but you have to provide the authentication details every time you run a command. This is not a good practice and it is not feasible. So, the kubeconfig file will help in this case by specifying the configuration details into a file. For example, config.
Method 1: Using the --kubeconfig flag (not recommended)
--server https://<cluster-ip>:<port>
--client-certificate <path-to-client-certificate>
--client-key <path-to-client-key>
--certificate-authority <path-to-ca-certificate>Here is an example of a config file looks like, but with this method, you have to specify the config file every time you run a command. So it is not recommended, instead you should use the kubeconfig file.
kubectl get pods --kubeconfig=configMethod 2: Using the kubeconfig file (recommended)
By default, kubectl looks for a file named config in the $HOME/.kube directory. The config file has the following structure:
- clusters - information about the Kubernetes cluster, like the server URL, certificate authority, etc.
- contexts - it defines which user account can access which cluster, so you no need to specify the user certificate or server configuration in
kubectlcommand. For example, you create a context calleddev@developmentthat will use thedevuser to access thedevelopmentcluster. - users - user information like the client certificate, client key, etc where the user is the one who is accessing the cluster.
Here are the commands, where you can use to view the kubeconfig configuration:
kubectl config -h
kubectl config view # view the current kubeconfig configuration
kubectl config view --kubeconfig=config # view the kubeconfig configuration based on the file pathNow, you can also specify the kubeconfig file as default kubeconfig file by setting the KUBECONFIG environment variable.
export KUBECONFIG=<file-path>
export KUBECONFIG=/new-kube-config
# or you can add it to the .bashrc file
echo "export KUBECONFIG=/root/my-kube-config" >> ~/.bashrc
source ~/.bashrcapiVersion: v1
kind: Config
clusters:
- name: production
cluster:
server: https://<cluster-ip>:<port>
certificate-authority: <path-to-ca-certificate> # normally is /etc/kubernetes/pki/ca.crt
contexts:
- name: prod@production
context:
cluster: production
user: prod
namespace: prod1 # optional field: the default namespace to use
users:
- name: prod
user:
client-certificate: <path-to-client-certificiate> # normally is /etc/kubernetes/pki/apiserver-kubelet-client.crt
client-key: <path-to-client-key> # normally is /etc/kubernetes/pki/apiserver-kubelet-client.keyBesides, you can also specify the default context to use by setting the current-context field in the kubeconfig file.
apiVersion: v1
kind: Config
current-context: prod@production # context name
...Of course, you can change the context as well.
kubectl config use-context <context-name>
kubectl config use-context prod@productionNow there is another option for cluster certificate side if you don’t want to use certificate-authority field in the kubeconfig file.
apiVersion: v1
kind: Config
clusters:
- name: production
cluster:
server: https://production:6443
certificate-authority-data: <base64-encoded-ca-certificate>- The
certificate-authority-datafield is the base64-encoded certificate authority data.- Convert the certificate authority file content to base64-encoded format.
cat /etc/kubernetes/pki/ca.crt | base64 -w 0
- You can decode the base64-encoded data using the following command.
echo "<base64-encoded-ca-certificate>" | base64 -d
- Convert the certificate authority file content to base64-encoded format.