LAB02b: Deep Dive into Kubeconfig, Client Certificate & Server Certificate

LAB OBJECTIVE

You will learn:

✔ Where kubeconfig files are stored

✔ How to view kubeconfig structure

✔ How to extract client cert & private key

✔ How to decode the client certificate

✔ How to check Kubernetes API server certificate

✔ How to find Subject, Issuer, SAN

✔ How Kubernetes verifies TLS connections

This is essential knowledge for:

troubleshooting kubectl
integrating Lens
adding remote clusters
fixing TLS errors
understanding Kubernetes authentication

LAB 1 — Locate and View Kubeconfig

Step 1: Check where kubectl is reading kubeconfig from

kubectl config view

Step 2: Show path

echo $KUBECONFIG

If empty, default is:

~/.kube/config

Step 3: View cluster info in kubeconfig

kubectl config view --minify

LAB 2 — View the Entire Kubeconfig File

cat ~/.kube/config

Look for:

clusters:
users:
contexts:
current-context:

LAB 3 — Extract the Client Certificate from kubeconfig

Your kubeconfig contains:

client-certificate-data: BASE64....
client-key-data: BASE64...

Step 1: Extract client certificate

kubectl config view --raw -o jsonpath='{.users[0].user.client-certificate-data}' \
| base64 -d > client.crt

Step 2: Extract client private key

kubectl config view --raw -o jsonpath='{.users[0].user.client-key-data}' \
| base64 -d > client.key

LAB 4 — Decode Client Certificate and Inspect Identity

Step 1: View certificate info

openssl x509 -in client.crt -noout -text

Output will show:

Subject CN (user name)
O (group)
Issuer (Kubernetes CA)
Validity (expiry date)
Public Key
Extensions

Expected Example:

Subject: O=system:masters, CN=kubernetes-admin
Issuer: CN=kubernetes

Meaning:

CN = user identity inside Kubernetes
O = group, e.g., system:masters → full admin

LAB 5 — Verify Client Key Matches the Certificate

openssl rsa -in client.key -pubout | openssl md5
openssl x509 -in client.crt -pubkey -noout | openssl md5

Both must match.

This validates the cert-key pair.

LAB 6 — Extract the Kubernetes Cluster CA Certificate

Your kubeconfig has:

certificate-authority-data:

Extract it:

kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' \
| base64 -d > ca.crt

View it:

openssl x509 -in ca.crt -noout -text

Look for:

Subject: CN=kubernetes

This is the Kubernetes CA.

LAB 7 — Check Kubernetes API Server Certificate (Server Cert)

The Kubernetes API server certificate is located at:

/etc/kubernetes/pki/apiserver.crt

View full certificate:

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text

Important fields:

✔ Subject CN

Subject: CN=kube-apiserver

✔ SAN (Subject Alternative Names)

X509v3 Subject Alternative Name:
    IP Address: 10.96.0.1
    IP Address: <Control Plane IP>
    DNS: kubernetes
    DNS: kubernetes.default
    DNS: kubernetes.default.svc

These SAN entries must include:

cluster IP
internal DNS names
external hostname (if used)

If SAN is missing → kubectl/Lens will give x509 unknown certificate or tls server name errors.

LAB 8 — Compare Client → Server → CA trust chain

Check if server certificate is signed by CA:

openssl verify -CAfile /etc/kubernetes/pki/ca.crt /etc/kubernetes/pki/apiserver.crt

Expected result:

/etc/kubernetes/pki/apiserver.crt: OK

If failed → certificate mismatch → cluster broken.

LAB 9 — Verify kubectl Connectivity using TLS Debug Mode

Use curl to test API server:

curl -v --cacert ca.crt https://<API-SERVER-IP>:6443

You should see:

HTTP/2 401
"Unauthorized"

This means TLS OK, but no token/cert provided.

LAB 10 — Check Who You Are Inside the Cluster

kubectl auth whoami

Expected:

kubernetes-admin
system:masters

LAB 11 — Check RBAC Permissions Based on Certificate Identity

Example:

kubectl auth can-i create pods
kubectl auth can-i delete nodes

As system:masters:

yes
yes

BONUS LAB — Export kubeconfig for Lens

Verify kubeconfig is valid:

kubectl config view --raw > clean-kubeconfig.yaml

Lens uses:

cluster.server
certificate-authority-data
client-certificate-data
client-key-data

This lab helps troubleshoot Lens issues like:

unable to verify certificate
tls-server-name mismatch

PreviousBLOG02d: KUBECONFIG Detailed Breakdown NextLAB02c: Create a New Kubernetes User Using Certificate Authentication

Last updated 1 month ago

Good night

hashtagLAB OBJECTIVE

hashtag✔ Where kubeconfig files are stored

hashtag✔ How to view kubeconfig structure

hashtag✔ How to extract client cert & private key

hashtag✔ How to decode the client certificate

hashtag✔ How to check Kubernetes API server certificate

hashtag✔ How to find Subject, Issuer, SAN

hashtag✔ How Kubernetes verifies TLS connections

hashtagLAB 1 — Locate and View Kubeconfig

hashtagStep 1: Check where kubectl is reading kubeconfig from

hashtagStep 2: Show path

hashtagStep 3: View cluster info in kubeconfig

hashtagLAB 2 — View the Entire Kubeconfig File

hashtagLAB 3 — Extract the Client Certificate from kubeconfig

hashtagStep 1: Extract client certificate

hashtagStep 2: Extract client private key

hashtagLAB 4 — Decode Client Certificate and Inspect Identity

hashtagStep 1: View certificate info

hashtagOutput will show:

hashtagExpected Example:

hashtagMeaning:

hashtagLAB 5 — Verify Client Key Matches the Certificate

hashtagLAB 6 — Extract the Kubernetes Cluster CA Certificate

hashtagLAB 7 — Check Kubernetes API Server Certificate (Server Cert)

hashtagView full certificate:

hashtag✔ Subject CN

hashtag✔ SAN (Subject Alternative Names)

hashtagLAB 8 — Compare Client → Server → CA trust chain

hashtagCheck if server certificate is signed by CA:

hashtagLAB 9 — Verify kubectl Connectivity using TLS Debug Mode

hashtagLAB 10 — Check Who You Are Inside the Cluster

hashtagLAB 11 — Check RBAC Permissions Based on Certificate Identity

hashtagBONUS LAB — Export kubeconfig for Lens