KubeConfig

Concept and usage

The kubeconfig file configures access to Kubernetes clusters by specifying cluster, user, and context information. Without it, you must supply authentication details on every kubectl command:

kubectl get pods \
  --server=https://<cluster-ip>:<port> \
  --client-certificate=<path-to-client-certificate> \
  --client-key=<path-to-client-key> \
  --certificate-authority=<path-to-ca-certificate>

The kubeconfig file avoids this repetition by storing the configuration.

Methods

kubeconfig flag (not recommended)
kubeconfig file (recommended)

Create a plain-text config file:

config

--server https://<cluster-ip>:<port>
--client-certificate <path-to-client-certificate>
--client-key <path-to-client-key>
--certificate-authority <path-to-ca-certificate>

Then reference it on every command:

kubectl get pods --kubeconfig=config

This is not recommended because you must specify the config file on every command.

By default, kubectl looks for a file named config in $HOME/.kube/. The file has three sections:

clusters — information about the Kubernetes cluster (server URL, certificate authority, etc.)
contexts — maps a user to a cluster; defines which user account accesses which cluster
users — user credentials (client certificate, client key, etc.)

config

apiVersion: v1
kind: Config
clusters:
  - name: production
    cluster:
      server: https://<cluster-ip>:<port>
      certificate-authority: <path-to-ca-certificate>  # typically /etc/kubernetes/pki/ca.crt
contexts:
  - name: prod@production
    context:
      cluster: production
      user: prod
      namespace: prod1  # optional: default namespace for this context
users:
  - name: prod
    user:
      client-certificate: <path-to-client-certificate>  # typically /etc/kubernetes/pki/apiserver-kubelet-client.crt
      client-key: <path-to-client-key>                  # typically /etc/kubernetes/pki/apiserver-kubelet-client.key

Viewing and switching contexts

kubectl config -h
kubectl config view                           # view current kubeconfig
kubectl config view --kubeconfig=config       # view a specific kubeconfig file

kubectl config use-context <context-name>     # switch active context
kubectl config use-context prod@production

To set the default context in the file:

config

apiVersion: v1
kind: Config
current-context: prod@production
...

Setting a default kubeconfig file

export KUBECONFIG=<file-path>
export KUBECONFIG=/new-kube-config

# Or persist it in .bashrc
echo "export KUBECONFIG=/root/my-kube-config" >> ~/.bashrc
source ~/.bashrc

Using base64-encoded certificate data

Instead of pointing to a certificate file with certificate-authority, you can embed the certificate data directly as base64:

config

apiVersion: v1
kind: Config
clusters:
  - name: production
    cluster:
      server: https://production:6443
      certificate-authority-data: <base64-encoded-ca-certificate>

# Encode the CA certificate to base64
cat /etc/kubernetes/pki/ca.crt | base64 -w 0

# Decode base64-encoded data
echo "<base64-encoded-ca-certificate>" | base64 -d

Overview

Docker

Git

Kubernetes

Kubernetes Scheduling

Kubernetes Observability

Kubernetes Cluster Maintenance

Kubernetes Security

Linux

SSH

Ansible

Taskfile

Python OOP

Data Structures & Algorithms

12-Factor App

Concept and usage

Methods

Viewing and switching contexts

Setting a default kubeconfig file

Using base64-encoded certificate data

Build docs developers (and LLMs) love

Overview

Docker

Git

Kubernetes

Kubernetes Scheduling

Kubernetes Observability

Kubernetes Cluster Maintenance

Kubernetes Security

Linux

SSH

Ansible

Taskfile

Python OOP

Data Structures & Algorithms

12-Factor App

​Concept and usage

​Methods

​Viewing and switching contexts

​Setting a default kubeconfig file

​Using base64-encoded certificate data

Build docs developers (and LLMs) love

Concept and usage

Methods

Viewing and switching contexts

Setting a default kubeconfig file

Using base64-encoded certificate data