• KubeConfig is an authentication config file. It configures what clusters the user has access to and in what capacity. It also stores the key and certificate for TLS handshake when making calls to the kube-apiserver. The URL for the kube-apiserver is also configured in the KubeConfig.

• kubectl looks for the kube config as a file named config at location ~/.kube. If there are multiple config files at that location or the config file is not named config, we need to pass the config file in the kubectl command as kubectl get pods --kubeconfig config.yaml.

• The changes made to the KubeConfig file don’t need to be applied. They are used when the kubectl command is run.

• KubeConfig file has 3 sections:

  • Clusters - K8s clusters that the user has access to
  • Users - User accounts with which the user has access to the clusters. These user accounts may have different privilege on different clusters.
  • Contexts - Define which user account will be used to access which cluster.

  

• KubeConfig defines what user accounts have access to what clusters. It is not a configuration to create user accounts or clusters. It just defines which user account will be used by the kubectl command to access which cluster. This way we don’t have to specify these parameters in the kubectl commands.

KubeConfig file

The below KubeConfig file uses the user account admin to access the cluster playground.

<aside> 💡 Every cluster has the CA certificate specified. This lets the kubectl utility verify the certificate of the kube-apiserver during the TLS handshake.

</aside>

apiversion: v1
kind: Config

clusters:
	- name: playground
		cluster:
			certificate-authority: ca.crt
			server: <https://playground:6443>

contexts:
	- name: admin@playground
		context:
			cluster: playground
			user: admin
	
users:
	- name: admin
		user:
			client-certificate: admin.crt
			client-key: admin.key

If the KubeConfig contains multiple contexts, we need to add a current-context field to specify which context to use as default. Also, namespace can be specified in the context. This means switching to a context will switch the user to the specified namespace.

apiversion: v1
kind: Config

current-context: developer@playground

clusters:
	- name: playground
		cluster:
			certificate-authority: ca.crt
			server: <https://playground:6443>

contexts:
	- name: admin@playground
		context:
			cluster: playground
			user: admin
			namespace: accounting
	- name: developer@playground
		context:
			cluster: playground
			user: developer
			namespace: finance
	
users:
	- name: admin
		user:
			client-certificate: admin.crt
			client-key: admin.key
	- name: developer
		user:
			client-certificate: developer.crt
			client-key: developer.key

Certificates can also be specified as base64 encoded text instead of the .crt file.

apiversion: v1
kind: Config

clusters:
	- name: playground
		cluster:
			certificate-authority-data: <base64-encoded-certificate>
			server: <https://playground:6443>

contexts:
	- name: admin@playground
		context:
			cluster: playground
			user: admin
	
users:
	- name: admin
		user:
			client-certificate-data: <base64-encoded-certificate>
			client-key: admin.key

Commands

• View KubeConfig file - k config view
• Update the current context in KubeConfig - k config use-context <context-name>
• Pass a KubeConfig file in a kubectl command - kubectl get pods --kubeconfig config.yaml

<aside> 💡 Explore other k config commands

</aside>