Skip to main content

5.2.2.3. Kubeconfigs

Kubeconfig is a configuration file that provides access to a Kubernetes cluster. It contains information about API servers, user credentials (such as tokens or certificates), and contexts that define which cluster and user are being used. Kubeconfig provides authentication and authorization when interacting with the cluster through kubectl or other clients, allowing secure management of cluster resources and settings.

We create kubeconfig files for components and users. This ensures secure and controlled connection to the API server.

Creating kubeconfig configurations and certificates

● Required

Super Admin

Working directory

mkdir -p /etc/kubernetes/pki
mkdir -p /etc/kubernetes/openssl/csr
mkdir -p /etc/kubernetes/kubeconfig

Configuration

cat <<EOF > /etc/kubernetes/openssl/super-admin.conf
[ req ]
default_bits        = 2048
prompt              = no
default_md          = sha256
distinguished_name  = dn

[ dn ]
CN = kubernetes-super-admin
O  = system:masters

[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=clientAuth
EOF

Private key generation

openssl genrsa \
  -out /etc/kubernetes/kubeconfig/super-admin.key 2048

CSR generation

openssl req \
  -new \
  -key    /etc/kubernetes/kubeconfig/super-admin.key \
  -out    /etc/kubernetes/openssl/csr/super-admin.csr \
  -config /etc/kubernetes/openssl/super-admin.conf

CSR signing

openssl x509 \
  -req \
  -days 365 \
  -sha256 \
  -CA /etc/kubernetes/pki/ca.crt \
  -CAkey /etc/kubernetes/pki/ca.key \
  -CAcreateserial \
  -in /etc/kubernetes/openssl/csr/super-admin.csr \
  -out /etc/kubernetes/kubeconfig/super-admin.crt \
  -extensions v3_ext \
  -extfile /etc/kubernetes/openssl/super-admin.conf

Kubeconfig setup for super-admin

kubectl config set-cluster kubernetes \
  --certificate-authority=/etc/kubernetes/pki/ca.crt \
  --embed-certs=true \
  --server=https://127.0.0.1:6443 \
  --kubeconfig=/etc/kubernetes/super-admin.conf

kubectl config set-credentials system:node:${HOST_NAME} \
  --client-certificate=/etc/kubernetes/kubeconfig/super-admin.crt \
  --client-key=/etc/kubernetes/kubeconfig/super-admin.key \
  --embed-certs=true \
  --kubeconfig=/etc/kubernetes/super-admin.conf

kubectl config set-context default \
  --cluster=kubernetes \
  --user=system:node:${HOST_NAME} \
  --kubeconfig=/etc/kubernetes/super-admin.conf

kubectl config use-context default \
  --kubeconfig=/etc/kubernetes/super-admin.conf
Certificate readiness check
Note
This section depends on the following sections:
/etc/kubernetes/openssl/cert-report.sh /etc/kubernetes/kubeconfig/super-admin.crt
Command output
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
super-admin.conf           Oct 22, 2025 22:06 UTC   364d            kubernetes              no