Understanding the Kubeconfig file

Willy Vidable Willy Vidable

When we develop a Kubernetes cluster, we know we need to also deploy outside it, an administration tool that let us communicate with the cluster to execute administration actions. For that we deploy a Kubernetes client application called kubectl in a computer outside the cluster and there, behind this client application there is a kubeconfig file that the client uses for communicating with the Kubernetes Cluster (specifically with its server API).
This kubeconfig file organize information regarding the cluster(s) the kubectl applications communicates with, like cluster name, namespaces, users, and authentication methods.
First, we should say that in fact, there is not a file called “kubeconfig” but instead any file that is used to configure access to a Kubernetes cluster is referred as kubeconfig. By default this file is located in user’s $HOME/.kube directory and named just “config”. If we use any other kubeconfig file rather than the default, then we can refer it by setting its path to the environment variable KUBECONFIG.
You can use multiple config files and have kubectl use them all at once by specifying all of them in the KUBECONFIG environment variable (separate them with a colon).
A typical kubeconfig file look as shown below 

apiVersion v
kind Config
clusters
- cluster
    certificate-authority-data DATA+OMITTED
    server https//kubernetes.docker.internal
  name docker-desktop
users
- name docker-desktop
  user
    client-certificate-data REDACTED
    client-key-data REDACTED
  contexts
  - context
    cluster docker-desktop
    user docker-desktop
  name docker-desktop
current-context docker-desktop
preferences {} 

There are four sections in the file
1. Clusters
2. Users
3. Contexts
4. Current Context 
Let’s understand one by one.

Clusters
The Clusters section contain a list of cluster objects. It holds the information about one or more clusters the user operates upon using this kubeconfig file. Each cluster object entry includes details about the server like URL of the API server, the certificate authority (CA) file and one of the possible authentication modes.
The certificate-authority-data field contain a PEM-encoded certificate authority certificates or alternatively the certificate can be stored in a separate file and referenced in the kubeconfig file. 

clusters
- cluster
    certificate-authority-data DATA+OMITTED
    server https//kubernetes.docker.internal  

Users
The Users is a list of user objects that holds the information regarding different users of the clusters and their authentication details.
Each user defines the credentials to use when talking to an API server. Users can authenticate themselves by the following ways: 
Certificates
The certificate and key can be included in the kubeconfig file as shown below (client-certificate-data and client-key-data properties) or stored in separate files and referenced in the config file. 
users
  - name admin
    user
      client-certificate-data <base encoded client cert data>
      client-key-data <base encoded client key>

Authentication tokens
users
  - name admin
    user
      token >_
        dGhpcyBpcyBhIHJhbmRvbSBzZW5ZW5jZSBaGFIGlzIGJhcUgZW5jbR 

Contexts
Contexts are list of context objects, and each context is a triplet — Combination of cluster, user and a namespace.
contexts
  - context
    cluster production
    namespace live
    user admin
  name production-admin 
In the above example, the context production-admin means — use the credentials of admin user to access the live namespace of production cluster. It is important to have defined the cluster and user objects under the respective sections of this kubeconfig so that they are successfully referred.

Current Context
While there can be multiple contexts defined in the kubeconfig file, at any given time only one of them is the current context. So, when you run kubectl commands, the cluster, user, and namespace defined in the kubeconfig’s current context are used.
Also, you can change the default context at any time by issuing the following command:
$ kubectl config use-context my-other-context
This switches the current context to “my-other-context”. 

Conclusion
This way, a kubeconfig file makes it easier to access multiple clusters by declaring information about clusters, users, namespaces, and authentication mechanisms.