Understanding Kubernetes kubeconfig
When you run a kubectl command, Kubernetes needs to know which cluster to talk to, who you are, and which namespace to use by default. All of this information lives in a single file called the kubeconfig file.
Think of kubeconfig as your personal address book for Kubernetes clusters. Instead of typing the cluster address, your username, and your certificate every single time, you write them down once in kubeconfig and kubectl reads them automatically.
By default, kubectl looks for this file at ~/.kube/config on Linux/macOS and at %USERPROFILE%\.kube\config on Windows. You can manage multiple clusters, multiple users, and multiple environments — all from this one file.
Core Concepts
The Three Building Blocks of kubeconfig
A kubeconfig file is made up of three sections that work together: clusters, users, and contexts.
| Section | What It Stores | Real-World Analogy |
|---|---|---|
| clusters | API server address and CA certificate of each cluster | The address of an office building |
| users | Credentials (certificate, token, or username/password) for each identity | Your employee ID badge |
| contexts | A named pairing of a cluster + a user + an optional namespace | A pre-saved shortcut: "go to building A as employee 42" |
clusters
Each entry in the clusters list describes a Kubernetes API server. The two most important fields are server (the HTTPS address of the API) and certificate-authority-data (the base64-encoded CA certificate that proves the server's identity).
users
Each entry in the users list holds the credentials kubectl presents to the API server. The most common credential types are:
- client-certificate-data + client-key-data — mutual TLS (most common in kubeadm clusters)
- token — a bearer token (common for ServiceAccounts and OIDC flows)
- exec — an external command that produces a token (used by cloud providers like EKS, GKE, AKS)
contexts
A context is a named combination of a cluster and a user, with an optional namespace. When you switch contexts you switch everything at once — cluster, identity, and default namespace. This is the key mechanism that lets you jump between environments (development, staging, production) with a single command.
current-context
The current-context field at the top level of the file tells kubectl which context to use when no explicit context is given. You can read it, set it, and switch it without editing the file by hand.
A Minimal kubeconfig File
Below is a minimal kubeconfig that defines one cluster, one user using a bearer token, and one context that ties them together. This is not a Kubernetes manifest — you do not kubectl apply it. You place it at ~/.kube/config or point to it with the KUBECONFIG environment variable.
Hands-On: Kubernetes Commands
View the full kubeconfig
Print the merged kubeconfig that kubectl is currently using:
Show sensitive values (certificates and tokens) in plain text:
Check the active context
See which context kubectl is operating under right now:
List all contexts
Show every context defined in the kubeconfig file. The active one is marked with an asterisk:
Switch context
Jump to a different cluster/user/namespace combination instantly:
List all clusters
Show all cluster entries registered in kubeconfig:
List all users
Show all user entries registered in kubeconfig:
Add a new cluster entry
Register a new cluster without editing the file by hand:
Add a new user entry (token-based)
Register a new identity using a bearer token:
Add a new user entry (certificate-based)
Register a new identity using a client certificate and key:
Create a new context
Combine a cluster and a user into a named context and set a default namespace:
Delete a context
Remove a context entry from the kubeconfig file:
Delete a cluster entry
Delete a user entry
Override the namespace for a context
You can set or change the default namespace of an existing context without touching cluster or user settings:
Step-by-Step Example
Scenario: Managing Two Clusters (Development and Staging)
Imagine you are a developer who works against two Kubernetes clusters: a local development cluster created with kind and a remote staging cluster. You will register both clusters, create contexts for each environment, and switch between them.
Step 1 — Verify your starting state
Check what contexts are already present:
Step 2 — Register the development cluster
If you are using kind, it writes the cluster entry automatically when you run kind create cluster. To verify it was added:
Step 3 — Register the staging cluster manually
Your ops team provides you with the API server address, a CA certificate file, and a bearer token. Register them:
Step 4 — Create contexts for both environments
Create a context for development that defaults to the dev namespace:
Create a context for staging that defaults to the staging namespace:
Step 5 — Switch to the development context and verify
Expected output:
Confirm you are talking to the correct cluster by listing nodes:
Step 6 — Switch to the staging context
You are now sending commands to the staging cluster. No flags, no long URLs — just one use-context command.
Working with Multiple kubeconfig Files
Instead of merging everything into one file, you can keep separate kubeconfig files and combine them at runtime using the KUBECONFIG environment variable. Set it to a colon-separated list of file paths (semicolon on Windows):
Kubernetes merges all listed files in memory. You can then list all contexts from every file with kubectl config get-contexts and switch between them normally.
Merging kubeconfig Files Permanently
To collapse multiple kubeconfig files into a single file, use the KUBECONFIG trick combined with kubectl config view --flatten:
Using a Different kubeconfig for a Single Command
Use the --kubeconfig flag to target a specific file for just one command without changing any environment variables or your default file:
kubeconfig Lookup Priority
kubectl determines which kubeconfig to use in this order:
- The
--kubeconfigflag on the command line (highest priority) - The
KUBECONFIGenvironment variable (merged list of files) - The default file at
~/.kube/config(lowest priority)
Summary
The kubeconfig file is the central configuration file that tells kubectl how to connect to your Kubernetes clusters and who you are. It has three key sections: clusters (API server addresses), users (credentials), and contexts (named pairings of cluster + user + namespace).
- Use
kubectl config get-contextsto see all available environments. - Use
kubectl config use-context <name>to switch between them instantly. - Use
kubectl config set-context --current --namespace=<ns>to change your default namespace. - Use the
KUBECONFIGenvironment variable to work with multiple kubeconfig files simultaneously. - Use
--kubeconfigfor a one-off override without changing global state.
Mastering kubeconfig is the foundation for managing real-world multi-cluster environments safely and efficiently. Every time you automate CI/CD pipelines, set up developer workstations, or grant limited access to a namespace, you will reach for these commands.