Kubernetes Security 101 : The kubeconfig file

A user can connect to the kubernetes cluster "kubernetes cluster" using a key and a certificate files:

The files 
user.keyuser.crt and ca.crt that represent the user private key, the user certificate and the Certificate Authority certificate respectively, are used by the API server to authenticate the user.

We could send the same information with a request to the API server to get a list of service (svc) running on the cluster for example:

Using a kubeconfig file:

Instead of typing all the above information each time we make a request to the API-server for example, we can put it in a file and pass it to our command.
That file is called the "kubeconfig" file.

The file is located by default in $HOME/.kube/config or in
 "~/. kube/config ".
If we don't specify a path for the config file, kubernetes uses the above default one.

Kubeconfig file elements:

The kubeconfig file consists of three elements:
  • Clusters : the list the different kubernetes clusters you want to access.
  • Users : represent the different accounts accessing the clusters.
  • Contexts : contexts are a combination or a pair made up of a user account and a cluster name
We can for example create a context for an "admin" user accessing a "test" cluster, or a "developer" user for a "development" cluster.

The kubeconfig Yaml file:

Below is an example of a Yaml configuration file:

We can see in our file above the field: current-context, which is the  default context to use.
We can add entries for other users, contexts or clusters.
The file is read by the kubectl command in our earlier example.

According to our config file above, the kubectl command will use the user "user" to access the "kubernetes_cluster" cluster

Displaying a config file:

To display the config file , we use the command:

If we don't specify a context to use, kubernetes will use the default one.
We can also specify the config file name in the kubectl command:

Switching contexts:

If we have different contexts we can switch to another one using the below command:

  • Contexts live in namespaces.
  • Certificates live in "/etc/kubernetes/pki".


Leave as a comment: