Introduction to KubeConfig

What is KubeConfig? KubeCofig enables clients like Kubectl and many programming languages, to securely access your Kubernetes Cluster. Specifically, KubeConfig is a YAML file that contains either a username and password combination or a secure token that when read programmatically removes the need for the Kubernetes client to ask for interactive authentication. KubeConfig is the secure and standard method to enable access to your Kubernetes clusters.

Kubernetes Clients

Client libraries handle the complicated task of integrating and understanding Kubernetes by natively handling the Kubernetes APIs. A number of client libraries are maintained by the Kubernetes SIG API machinery, this includes Python, Go, Java, dotNet, Javascript and Haskell. These languages and related libraries are able to utilize the KubeConfig file to authenticate against the Kubernetes API.


Kubectl provides a command line tool for interacting with Kubernetes; tasks like listing Pods, autoscaling, changing labels and run are available to control and transform your Kubernetes environment.

Kubectl depends on KubeConfig for authentication, by default Kubectl will expect KubeConfig, represented as a file named config to be present in the $HOME/.kube directory. Without KubeConfig you cannot use Kubectl.

To get started with Kubectl view the cheatsheet. For a detailed guide on Kubectl review the Kubernetes documentation.

Obtaining KubeConfig for a Cluster

In order to access your PMK clusters outside of the PMK UI, you need to have a kubeconfig file that is properly configured with either of the following:

  • an access token generated by Platform9 for your specific user account, or
  • the username and password for your user account stored in encrypted format

You can specify the authentication method to use while downloading the kubeconfig file through PMK. Once the method is specified, the respective value is retrieved from PMK for authentication and stored in the kubeconfig file. The KubeConfig file can be downloaded from the API dashboard.

Token Based KubeConfig

Token-based authentication is a more secure way of authentication.

Once generated, a token is valid for a 24-hour duration, as compared to a username-password combination that is valid as long as the password is valid.

Follow the steps given below to download the kubeconfig file with a token.

  1. Click Kubernetes>API Access.
  2. Click the Download Config link for the desired cluster from the cluster list. Tokenbased Authentication

  3. Select Token as the Authentication Method and click Download Config.

The token field in the kubeconfig file is populated with the Keystone token for the user. The kubeconfig file is downloaded to your default download folder.

You can view the kubeconfig file content for the cluster by selecting the option for the respective cluster in PMK. View kubeconfig