What the heck is Kubeconfig anyway?
When interacting with a SQL database such as Postgres, for example, developers often need the so called Connection String
, which is a string that contains all the information needed to connect to the database. This includes the database host, port, username, password, and so on. All this information is often stored in a single string, which is then used by the application to connect to the database.
Kubeconfig is sort of a connection string, but for Kubernetes clusters. It contains all the information needed to connect to a Kubernetes cluster, including the cluster host, port, authentication method, and so on.
However, unlike the connection string, Kubeconfig is a file. It's often stored in the ~/.kube/config
file and it's used by pretty much all Kubernetes tools, such as kubectl and Aptakube.
Let's take a look at a Kubeconfig file
apiVersion: v1
kind: Config
current-context: minikube
clusters:
- cluster:
certificate-authority: /Users/goenning/.minikube/ca.crt
server: https://127.0.0.1:51171
name: minikube-local
contexts:
- context:
cluster: minikube-local
namespace: default
user: admin
name: minikube
users:
- name: admin
user:
client-certificate: /Users/goenning/.minikube/profiles/minikube/client.crt
client-key: /Users/goenning/.minikube/profiles/minikube/client.key
This is a Kubeconfig file generated by Minikube, which is a tool that creates a single-node Kubernetes cluster on your local machine. It's a great tool for learning Kubernetes and for developing applications locally.
Each kubeconfig file contains three main sections: clusters
, contexts
, and users
. These sections are defined as an array of objects because you can have multiple clusters, contexts, and users in a single kubeconfig file. However, when working with multiple clusters it's often recommended to keep a separate kubeconfig file for each cluster, or at least group some clusters together in a single kubeconfig file based on whatever they have in common.
The context
is what links the cluster
and the user
together. Every operation you perform in Kubernetes is done in a context, which is why kubectl
has a --context
parameter for you to specific which cluster you want to interact with.
The cluster
object defines where the cluster is located (server) and what client certificate (certificate-authority) to use during the SSL handshake. This section may also contain other settings such as proxy-url
in cases where the cluster can only be accessed through a proxy.
The user
object defines the authentication method to be used when connecting to the cluster. In this case, the user is using a client certificate, which is a common authentication method for local clusters.
Using the Kubeconfig file with kubectl
When using kubectl (or any other Kubernetes tool), by default it will look for the kubeconfig file in the ~/.kube/config
path. However, you can specify a different path using the --kubeconfig
parameter or the KUBECONFIG
environment variable. Here are some examples:
kubectl get pods # uses ~/.kube/config
kubectl get pods --kubeconfig /path/to/kubeconfig # uses config from /path/to/kubeconfig
KUBECONFIG=/path/to/kubeconfig kubectl get pods # same as above
In case you have multiple clusters in your kubeconfig file, you can use the --context
parameter to specify which cluster you want to interact with:
kubectl get pods --context prod-europe # uses the prod-europe context from the ~/.kube/config
kubectl get pods --context prod-europe --kubeconfig /path/to/kubeconfig # uses the prod-europe context from /path/to/kubeconfig
Setting the --kubeconfig
parameter on every command is tedious, so you can also set the KUBECONFIG
environment variable to point to the kubeconfig file you want to use. This is especially useful when you have multiple kubeconfig files that you interact with constantly.
If you're on macOS or Linux, you can set the KUBECONFIG on your shell profile (e.g. ~/.bash_profile
or ~/.zshrc
) so that it's always available on future shell session and you don't have to set it manually every time.
Here's a cheat sheet with some useful context related commands:
kubectl config get-contexts # display list of contexts
kubectl config current-context # display the current-context
kubectl config use-context prod-europe # set the default context to my-cluster-name
kubectl config use-context
basically modifies your Kubeconfig file and sets the current-context
to the one you specified. This is useful when you want to switch between contexts without having to specify the --context
parameter every time.
Authentication and Security
Last topic we'd like to cover is related to how to keep your Kubeconfig file secure. The Kubeconfig file may contain sensitive information such as tokens and private keys, so it's important to keep it safe. However, the the best option to protect your cluster is by not having any sensitive information in your Kubeconfig file.
Authentication is where things can get tricky. There are many ways to authenticate to a Kubernetes cluster, and some of them are more secure than others. Some popular ones are:
- Token: This is by far the worst authentication method in terms of security. If you Kubeconfig gets leaked, unless you've got some other network protection, anyone can use the token to access your cluster. Avoid using this for any important cluster, but it's generally OK to use on local clusters for testing/development purposes.
- Client Certificate: This is somewhat similar to a token, however it can slightly safer if the content of the certificate is usually stored in a separate file. So even if the Kubeconfig gets leaker, the attacked might not have got access to the certificates.
- Exec Plugins: This is what most cloud providers and managed Kubernetes services would recommend you to use. It's essentially an extension of Kubeconfig to use external CLI tools (such as the aws CLI, az CLI or gcloud CLI) to perform the authentication using a cloud-based IAM mechanism. This is the most secure authentication method because it doesn't require any sensitive information to be stored in the Kubeconfig file. However, it's also the most complex one to setup as it requires additional knowledge of each cloud provider and how to use their CLI tools.
Connecting to multiple clusters simultaneously
When working with multiple Kubernetes clusters, it might be useful to connect to more than one cluster at the same time so you can see the status of your application across multiple clusters in one view. This is especially useful when you're running an application across different regions or even multi-cloud.
Aptakube is GUI application for Kubernetes that uses the same Kubeconfig files we mentioned above and can connect to multiple clusters at the same time. It essentially presents all your Kubernetes resources as if it was a single clusters. We invite you to try it out free today 😊
Top comments (0)