This document breaks down the kubeconfig file into 5 sections:
1. apiVersion: v1
This field indicates that the kubeconfig structure conforms to the Kubernetes v1 API specification.
All kubeconfig files use this API version.
2. clusters:
This section describes how to reach the Kubernetes API server.
Example entry:
name: kubernetes
The cluster name within the kubeconfig file. This name does not need to match the actual cluster name; it is a logical identifier used within the kubeconfig file.
server: https://172.31.66.87:6443
This specifies the Kubernetes API Server endpoint.
IP address: 172.31.66.87
Port: 6443 (default API server port)
All kubectl commands are directed to this server.
certificate-authority-data: DATA+OMITTED
This field contains the CA certificate (base64 encoded). It ensures:
The client can trust the Kubernetes API server
Protection against man-in-the-middle attacks
TLS verification
The equivalent file is typically located at:
This CA signs:
apiserver.crt
kubelet client certs
admin certificates
3. users:
This section describes how the client (kubectl, Lens, scripts) authenticates to the cluster.
Example entry:
name: kubernetes-admin
This is the local name of the user in the kubeconfig file.
This name is not sent to Kubernetes; it serves as a local identifier.
client-certificate-data
This field contains the user certificate (base64 encoded). The certificate contains the following identity information:
The O=system:masters field indicates: This user is a cluster super-admin with full access privileges.
client-key-data
This field contains the private key for the above certificate.
Together, the certificate and key establish the user identity.
This enables kubectl to authenticate cryptographically with the API server.
4. contexts:
A context binds together:
Example entry:
cluster: kubernetes
References the cluster defined earlier under clusters:.
user: kubernetes-admin
References the user defined under users:.
name: kubernetes-admin@kubernetes
This is the context name used when switching contexts:
5. current-context
This field defines which context is currently active:
This configuration means:
Use the kubernetes cluster
Use the kubernetes-admin user
Apply all permissions granted to this user
This is the context that kubectl uses by default unless overridden.
Putting It All Together: How kubectl Authenticates