The usage of kubeconfig in kubernetes

In a cluster with TLS enabled, each time the cluster interacts with identity authentication, using Kubeconfig (i.e., certificates) and token two authentication methods is the simplest and most common authentication method.

Take Kubectl as an example to introduce the configuration of Kubeconfig. Kubectl is just a go-written executable program that can be used by any node in the cluster as long as the appropriate Kubeconfig is configured for Kubectl. Kubectl Default is to find files with file names from the $home/.kube directory config , or you can specify other kubeconfig files by setting environment variables KUBECONFIG or by setting --kubeconfig them.

In summary, Kubeconfig is the configuration that is made to access the cluster.

Export kube_apiserver="https://172.20.0.113:6443"# Set Cluster parameters kubectl Config set-Cluster kubernetes--certificate-authority=/etc/kubernetes/ssl/Ca.pem--embed-certs=true   --server=${kube_apiserver}# Setting Client authentication Parameters kubectl Config set-Credentials Admin--client-certificate=/etc/kubernetes/ssl/Admin.pem--embed-certs=true   --client-key=/etc/kubernetes/ssl/admin-key.pem# Setting the context Parameter Kubectl Config set-Context Kubernetes--cluster=kubernetes--user=admin# Setting the default context kubectl config use-context kubernetes

The generated kubeconfig is saved to a ~/.kube/config file, and the configuration file describes the cluster, user, and context

Cluster parameters

This section sets the information for the cluster you need to access. Use Set-cluster to set up the cluster that needs to be accessed, as Kubernetes;--certificate-authority set the public key of the cluster above --embed-certs true indicates that the--certificate-authority certificate is written to Kubeconfig, and--server represents the Kube-apiserver address of the cluster

The generated kubeconfig is saved to a ~/.kube/config file

User parameters

This paragraph mainly sets up the user's related information, mainly is the user certificate. As on the user named Admin, the certificate is:/ETC/KUBERNETES/SSL/ADMIN.PEM, the private key is:/etc/kubernetes/ssl/admin-key.pem. Note that the client's certificate must first be signed by the cluster CA, otherwise it will not be recognized by the cluster. Here is the use of CA authentication method, you can also use token authentication, such as the Kubelet TLS boostrap mechanism of bootstrapping using token authentication method.

Context Parameters

Cluster parameters and user parameters can be set to multiple pairs at the same time, in the context parameters of the cluster parameters and user parameters are linked together. The context name above is Kubenetes, the cluster is kubenetes, the user is admin, the user credentials of the admin are used to access the default namespace of the Kubenetes cluster, or the--namspace is added to specify the namespace to be accessed.

Finally, use the Kubectl config Use-context kubernetes to use the environment item named Kubenetes as the configuration. If you have multiple environment items configured, you can access different cluster environments by switching the names of different environment items.

Note

Use kubeconfig also need to note that the user has been authorized (such as RBAC authorization), the above example in the user's certificate in the OU field system:masters , the kube-apiserver predefined rolebinding cluster-admin will Group system:masters and Role The c10/> binding, which grants kube-apiserver permission to invoke the associated API.

Reference:

• https://k8smeetup.github.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/
• https://k8smeetup.github.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/
• Https://jimmysong.io/kubernetes-handbook/guide/kubectl-user-authentication-authorization.html
• Http://kubernetes.kansea.com/docs/user-guide/kubectl

The usage of kubeconfig in kubernetes