Docs
kubernetes
KubeConfig

KubeConfig

Concept & Usage of kubeconfig

The kubeconfig file is a configuration file used to configure access to Kubernetes clusters. It is used to specify the cluster, user, and context information required to connect to a Kubernetes cluster.

kubectl get pods \
  --server=https://<cluster-ip>:<port> \
  --client-certificate=<path-to-client-certificate> \
  --client-key=<path-to-client-key> \
  --certificate-authority=<path-to-ca-certificate> \

Let me give you a scenario. When you do not have a kubeconfig file, you can still access the Kubernetes cluster using the kubectl command, but you have to provide the authentication details every time you run a command. This is not a good practice and it is not feasible. So, the kubeconfig file will help in this case by specifying the configuration details into a file. For example, config.

Method 1: Using the --kubeconfig flag (not recommended)

config
--server https://<cluster-ip>:<port>
--client-certificate <path-to-client-certificate>
--client-key <path-to-client-key>
--certificate-authority <path-to-ca-certificate>

Here is an example of a config file looks like, but with this method, you have to specify the config file every time you run a command. So it is not recommended, instead you should use the kubeconfig file.

kubectl get pods --kubeconfig=config

Method 2: Using the kubeconfig file (recommended)

By default, kubectl looks for a file named config in the $HOME/.kube directory. The config file has the following structure:

  • clusters - information about the Kubernetes cluster, like the server URL, certificate authority, etc.
  • contexts - it defines which user account can access which cluster, so you no need to specify the user certificate or server configuration in kubectl command. For example, you create a context called dev@development that will use the dev user to access the development cluster.
  • users - user information like the client certificate, client key, etc where the user is the one who is accessing the cluster.

Here are the commands, where you can use to view the kubeconfig configuration:

kubectl config -h
kubectl config view # view the current kubeconfig configuration
kubectl config view --kubeconfig=config # view the kubeconfig configuration based on the file path
config
apiVersion: v1
kind: Config
clusters:
  - name: production
    cluster:
      server: https://<cluster-ip>:<port>
      certificate-authority: <path-to-ca-certificate> # normally is /etc/kubernetes/pki/ca.crt
contexts:
  - name: prod@production
    context:
      cluster: production
      user: prod
      namespace: prod1 # optional field: the default namespace to use
users:
  - name: prod
    user:
      client-certificate: <path-to-client-certificiate> # normally is /etc/kubernetes/pki/apiserver-kubelet-client.crt
      client-key: <path-to-client-key> # normally is /etc/kubernetes/pki/apiserver-kubelet-client.key

Besides, you can also specify the default context to use by setting the current-context field in the kubeconfig file.

config
apiVersion: v1
kind: Config
current-context: prod@production # context name
...

Of course, you can change the context as well.

kubectl config use-context <context-name>
kubectl config use-context prod@production

Now there is another option for cluster certificate side if you don't want to use certificate-authority field in the kubeconfig file.

config
apiVersion: v1
kind: Config
clusters:
  - name: production
    cluster:
      server: https://production:6443
      certificate-authority-data: <base64-encoded-ca-certificate>
  • The certificate-authority-data field is the base64-encoded certificate authority data.
    • Convert the certificate authority file content to base64-encoded format.
      • cat /etc/kubernetes/pki/ca.crt | base64 -w 0
    • You can decode the base64-encoded data using the following command.
      • echo "<base64-encoded-ca-certificate>" | base64 -d
Certificate APIAPI Groups