k3s/docs/kubeconfig-file.md

# kubeconfig files
In order to easily switch between multiple clusters, a kubeconfig file was defined.  This file contains a series of authentication mechanisms and cluster connection information associated with nicknames.  It also introduces the concept of a tuple of authentication information (user) and cluster connection information called a context that is also associated with a nickname.

Multiple kubeconfig files are allowed.  At runtime they are loaded and merged together along with override options specified from the command line (see rules below).

## Related discussion
https://github.com/GoogleCloudPlatform/kubernetes/issues/1755

## Example kubeconfig file
```
apiVersion: v1
clusters:
- cluster:
    api-version: v1
    server: http://cow.org:8080
  name: cow-cluster
- cluster:
    certificate-authority: path/to/my/cafile
    server: https://horse.org:4443
  name: horse-cluster
- cluster:
    insecure-skip-tls-verify: true
    server: https://pig.org:443
  name: pig-cluster
contexts:
- context:
    cluster: horse-cluster
    namespace: chisel-ns
    user: green-user
  name: federal-context
- context:
    cluster: pig-cluster
    namespace: saw-ns
    user: black-user
  name: queen-anne-context
current-context: federal-context
kind: Config
preferences:
  colors: true
users:
- name: blue-user
  user:
    token: blue-token
- name: green-user
  user:
    client-certificate: path/to/my/client/cert
    client-key: path/to/my/client/key
```

## Loading and merging rules
The rules for loading and merging the kubeconfig files are straightforward, but there are a lot of them.  The final config is built in this order:
  1.  Get the kubeconfig  from disk.  This is done with the following hierarchy and merge rules:


      If the CommandLineLocation (the value of the `kubeconfig` command line option) is set, use this file only.  No merging.  Only one instance of this flag is allowed.


      Else, if EnvVarLocation (the value of $KUBECONFIG) is available, use it as a list of files that should be merged.
      Merge files together based on the following rules.
      Empty filenames are ignored.  Files with non-deserializable content produced errors.
      The first file to set a particular value or map key wins and the value or map key is never changed.
      This means that the first file to set CurrentContext will have its context preserved.  It also means that if two files specify a "red-user", only values from the first file's red-user are used.  Even non-conflicting entries from the second file's "red-user" are discarded.


      Otherwise, use HomeDirectoryLocation (~/.kube/config) with no merging.
  1.  Determine the context to use based on the first hit in this chain
      1.  command line argument - the value of the `context` command line option
      1.  current-context from the merged kubeconfig file
      1.  Empty is allowed at this stage
  1.  Determine the cluster info and user to use.  At this point, we may or may not have a context.  They are built based on the first hit in this chain.  (run it twice, once for user, once for cluster)
      1.  command line argument - `user` for user name and `cluster` for cluster name
      1.  If context is present, then use the context's value
      1.  Empty is allowed
  1.  Determine the actual cluster info to use.  At this point, we may or may not have a cluster info.  Build each piece of the cluster info based on the chain (first hit wins):
      1.  command line arguments - `server`, `api-version`, `certificate-authority`, and `insecure-skip-tls-verify`
      1.  If cluster info is present and a value for the attribute is present, use it.
      1.  If you don't have a server location, error.
  1.  Determine the actual user info to use. User is built using the same rules as cluster info, EXCEPT that you can only have one authentication technique per user.
      1. Load precedence is 1) command line flag, 2) user fields from kubeconfig
      1. The command line flags are: `client-certificate`, `client-key`, `username`, `password`, and `token`.
      1. If there are two conflicting techniques, fail.
  1.  For any information still missing, use default values and potentially prompt for authentication information

## Manipulation of kubeconfig via `kubectl config <subcommand>`
In order to more easily manipulate kubeconfig files, there are a series of subcommands to `kubectl config` to help.
See [docs/kubectl_config.md](kubectl_config.md) for help.

### Example
```
$kubectl config set-credentials myself --username=admin --password=secret
$kubectl config set-cluster local-server --server=http://localhost:8080
$kubectl config set-context default-context --cluster=local-server --user=myself
$kubectl config use-context default-context
$kubectl config set contexts.default-context.namespace the-right-prefix
$kubectl config view
```
produces this output
```
clusters:
  local-server:
    server: http://localhost:8080
contexts:
  default-context:
    cluster: local-server
    namespace: the-right-prefix
    user: myself
current-context: default-context
preferences: {}
users:
  myself:
    username: admin
    password: secret

```
and a kubeconfig file that looks like this
```
apiVersion: v1
clusters:
- cluster:
    server: http://localhost:8080
  name: local-server
contexts:
- context:
    cluster: local-server
    namespace: the-right-prefix
    user: myself
  name: default-context
current-context: default-context
kind: Config
preferences: {}
users:
- name: myself
  user:
    username: admin
    password: secret
```

#### Commands for the example file
```
$kubectl config set preferences.colors true
$kubectl config set-cluster cow-cluster --server=http://cow.org:8080 --api-version=v1
$kubectl config set-cluster horse-cluster --server=https://horse.org:4443 --certificate-authority=path/to/my/cafile
$kubectl config set-cluster pig-cluster --server=https://pig.org:443 --insecure-skip-tls-verify=true
$kubectl config set-credentials blue-user --token=blue-token
$kubectl config set-credentials green-user --client-certificate=path/to/my/client/cert --client-key=path/to/my/client/key
$kubectl config set-context queen-anne-context --cluster=pig-cluster --user=black-user --namespace=saw-ns
$kubectl config set-context federal-context --cluster=horse-cluster --user=green-user --namespace=chisel-ns
$kubectl config use-context federal-context
```


[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/kubeconfig-file.md?pixel)]()
Update kubeconfig-file doc. Remove the '.' in references to '.kubeconfig file' to avoid confusion as default location is now ~/.kube/config. Also remove auth-path examples, as that option is deprecated and should not be used. 2015-05-05 18:36:22 +00:00			`# kubeconfig files`
			`In order to easily switch between multiple clusters, a kubeconfig file was defined. This file contains a series of authentication mechanisms and cluster connection information associated with nicknames. It also introduces the concept of a tuple of authentication information (user) and cluster connection information called a context that is also associated with a nickname.`
Revert "Revert "add kubeconfig types"" This reverts commit 02dbad7094d2f55a3a1e39e705c21459774e97c0. 2015-01-07 20:59:22 +00:00
update kubeconfig-docs to v1beta3 2015-05-18 23:28:57 +00:00			`Multiple kubeconfig files are allowed. At runtime they are loaded and merged together along with override options specified from the command line (see rules below).`
Revert "Revert "add kubeconfig types"" This reverts commit 02dbad7094d2f55a3a1e39e705c21459774e97c0. 2015-01-07 20:59:22 +00:00
			`## Related discussion`
			`https://github.com/GoogleCloudPlatform/kubernetes/issues/1755`

Update kubeconfig-file doc. Remove the '.' in references to '.kubeconfig file' to avoid confusion as default location is now ~/.kube/config. Also remove auth-path examples, as that option is deprecated and should not be used. 2015-05-05 18:36:22 +00:00			`## Example kubeconfig file`
Revert "Revert "add kubeconfig types"" This reverts commit 02dbad7094d2f55a3a1e39e705c21459774e97c0. 2015-01-07 20:59:22 +00:00			```
add kubectl config 2014-12-17 13:03:03 +00:00			`apiVersion: v1`
Revert "Revert "add kubeconfig types"" This reverts commit 02dbad7094d2f55a3a1e39e705c21459774e97c0. 2015-01-07 20:59:22 +00:00			`clusters:`
add kubectl config 2014-12-17 13:03:03 +00:00			`- cluster:`
Updating docs/ to v1 2015-06-05 19:47:15 +00:00			`api-version: v1`
add kubectl config 2014-12-17 13:03:03 +00:00			`server: http://cow.org:8080`
			`name: cow-cluster`
			`- cluster:`
Revert "Revert "add kubeconfig types"" This reverts commit 02dbad7094d2f55a3a1e39e705c21459774e97c0. 2015-01-07 20:59:22 +00:00			`certificate-authority: path/to/my/cafile`
add kubectl config 2014-12-17 13:03:03 +00:00			`server: https://horse.org:4443`
			`name: horse-cluster`
			`- cluster:`
Revert "Revert "add kubeconfig types"" This reverts commit 02dbad7094d2f55a3a1e39e705c21459774e97c0. 2015-01-07 20:59:22 +00:00			`insecure-skip-tls-verify: true`
add kubectl config 2014-12-17 13:03:03 +00:00			`server: https://pig.org:443`
			`name: pig-cluster`
Revert "Revert "add kubeconfig types"" This reverts commit 02dbad7094d2f55a3a1e39e705c21459774e97c0. 2015-01-07 20:59:22 +00:00			`contexts:`
add kubectl config 2014-12-17 13:03:03 +00:00			`- context:`
Revert "Revert "add kubeconfig types"" This reverts commit 02dbad7094d2f55a3a1e39e705c21459774e97c0. 2015-01-07 20:59:22 +00:00			`cluster: horse-cluster`
			`namespace: chisel-ns`
add kubectl config 2014-12-17 13:03:03 +00:00			`user: green-user`
			`name: federal-context`
			`- context:`
			`cluster: pig-cluster`
			`namespace: saw-ns`
			`user: black-user`
			`name: queen-anne-context`
Revert "Revert "add kubeconfig types"" This reverts commit 02dbad7094d2f55a3a1e39e705c21459774e97c0. 2015-01-07 20:59:22 +00:00			`current-context: federal-context`
add kubectl config 2014-12-17 13:03:03 +00:00			`kind: Config`
			`preferences:`
			`colors: true`
			`users:`
			`- name: blue-user`
			`user:`
			`token: blue-token`
			`- name: green-user`
			`user:`
			`client-certificate: path/to/my/client/cert`
			`client-key: path/to/my/client/key`
Revert "Revert "add kubeconfig types"" This reverts commit 02dbad7094d2f55a3a1e39e705c21459774e97c0. 2015-01-07 20:59:22 +00:00			```

			`## Loading and merging rules`
Update kubeconfig-file doc. Remove the '.' in references to '.kubeconfig file' to avoid confusion as default location is now ~/.kube/config. Also remove auth-path examples, as that option is deprecated and should not be used. 2015-05-05 18:36:22 +00:00			`The rules for loading and merging the kubeconfig files are straightforward, but there are a lot of them. The final config is built in this order:`
change kubeconfig loading order 2015-04-10 12:54:22 +00:00			`1. Get the kubeconfig from disk. This is done with the following hierarchy and merge rules:`
Update kubeconfig-file doc. Remove the '.' in references to '.kubeconfig file' to avoid confusion as default location is now ~/.kube/config. Also remove auth-path examples, as that option is deprecated and should not be used. 2015-05-05 18:36:22 +00:00
Add documentation on legacy kubernetes_auth file to kubeconfig-file.md 2015-03-04 22:16:04 +00:00
change kubeconfig loading order 2015-04-10 12:54:22 +00:00			If the CommandLineLocation (the value of the `kubeconfig` command line option) is set, use this file only. No merging. Only one instance of this flag is allowed.


Update kubeconfig-file doc. Remove the '.' in references to '.kubeconfig file' to avoid confusion as default location is now ~/.kube/config. Also remove auth-path examples, as that option is deprecated and should not be used. 2015-05-05 18:36:22 +00:00			`Else, if EnvVarLocation (the value of $KUBECONFIG) is available, use it as a list of files that should be merged.`
change kubeconfig loading order 2015-04-10 12:54:22 +00:00			`Merge files together based on the following rules.`
Revert "Revert "add kubeconfig types"" This reverts commit 02dbad7094d2f55a3a1e39e705c21459774e97c0. 2015-01-07 20:59:22 +00:00			`Empty filenames are ignored. Files with non-deserializable content produced errors.`
			`The first file to set a particular value or map key wins and the value or map key is never changed.`
			`This means that the first file to set CurrentContext will have its context preserved. It also means that if two files specify a "red-user", only values from the first file's red-user are used. Even non-conflicting entries from the second file's "red-user" are discarded.`
change kubeconfig loading order 2015-04-10 12:54:22 +00:00

			`Otherwise, use HomeDirectoryLocation (~/.kube/config) with no merging.`
Revert "Revert "add kubeconfig types"" This reverts commit 02dbad7094d2f55a3a1e39e705c21459774e97c0. 2015-01-07 20:59:22 +00:00			`1. Determine the context to use based on the first hit in this chain`
			1. command line argument - the value of the `context` command line option
			`1. current-context from the merged kubeconfig file`
			`1. Empty is allowed at this stage`
			`1. Determine the cluster info and user to use. At this point, we may or may not have a context. They are built based on the first hit in this chain. (run it twice, once for user, once for cluster)`
			1. command line argument - `user` for user name and `cluster` for cluster name
			`1. If context is present, then use the context's value`
			`1. Empty is allowed`
			`1. Determine the actual cluster info to use. At this point, we may or may not have a cluster info. Build each piece of the cluster info based on the chain (first hit wins):`
			1. command line arguments - `server`, `api-version`, `certificate-authority`, and `insecure-skip-tls-verify`
			`1. If cluster info is present and a value for the attribute is present, use it.`
			`1. If you don't have a server location, error.`
Add documentation on legacy kubernetes_auth file to kubeconfig-file.md 2015-03-04 22:16:04 +00:00			`1. Determine the actual user info to use. User is built using the same rules as cluster info, EXCEPT that you can only have one authentication technique per user.`
remove cmd respect for auth-path 2015-05-08 20:26:27 +00:00			`1. Load precedence is 1) command line flag, 2) user fields from kubeconfig`
			1. The command line flags are: `client-certificate`, `client-key`, `username`, `password`, and `token`.
Add documentation on legacy kubernetes_auth file to kubeconfig-file.md 2015-03-04 22:16:04 +00:00			`1. If there are two conflicting techniques, fail.`
Revert "Revert "add kubeconfig types"" This reverts commit 02dbad7094d2f55a3a1e39e705c21459774e97c0. 2015-01-07 20:59:22 +00:00			`1. For any information still missing, use default values and potentially prompt for authentication information`
add kubectl config 2014-12-17 13:03:03 +00:00
Update kubeconfig-file doc. Remove the '.' in references to '.kubeconfig file' to avoid confusion as default location is now ~/.kube/config. Also remove auth-path examples, as that option is deprecated and should not be used. 2015-05-05 18:36:22 +00:00			## Manipulation of kubeconfig via `kubectl config <subcommand>`
			In order to more easily manipulate kubeconfig files, there are a series of subcommands to `kubectl config` to help.
			`See [docs/kubectl_config.md](kubectl_config.md) for help.`
add kubectl config 2014-12-17 13:03:03 +00:00
			`### Example`
			```
Update kubeconfig-file doc. Remove the '.' in references to '.kubeconfig file' to avoid confusion as default location is now ~/.kube/config. Also remove auth-path examples, as that option is deprecated and should not be used. 2015-05-05 18:36:22 +00:00			`$kubectl config set-credentials myself --username=admin --password=secret`
add kubectl config 2014-12-17 13:03:03 +00:00			`$kubectl config set-cluster local-server --server=http://localhost:8080`
			`$kubectl config set-context default-context --cluster=local-server --user=myself`
			`$kubectl config use-context default-context`
			`$kubectl config set contexts.default-context.namespace the-right-prefix`
			`$kubectl config view`
			```
			`produces this output`
			```
			`clusters:`
			`local-server:`
			`server: http://localhost:8080`
			`contexts:`
			`default-context:`
			`cluster: local-server`
			`namespace: the-right-prefix`
			`user: myself`
			`current-context: default-context`
			`preferences: {}`
			`users:`
			`myself:`
Update kubeconfig-file doc. Remove the '.' in references to '.kubeconfig file' to avoid confusion as default location is now ~/.kube/config. Also remove auth-path examples, as that option is deprecated and should not be used. 2015-05-05 18:36:22 +00:00			`username: admin`
			`password: secret`
add kubectl config 2014-12-17 13:03:03 +00:00
			```
Update kubeconfig-file doc. Remove the '.' in references to '.kubeconfig file' to avoid confusion as default location is now ~/.kube/config. Also remove auth-path examples, as that option is deprecated and should not be used. 2015-05-05 18:36:22 +00:00			`and a kubeconfig file that looks like this`
add kubectl config 2014-12-17 13:03:03 +00:00			```
			`apiVersion: v1`
			`clusters:`
			`- cluster:`
			`server: http://localhost:8080`
			`name: local-server`
			`contexts:`
			`- context:`
			`cluster: local-server`
			`namespace: the-right-prefix`
			`user: myself`
			`name: default-context`
			`current-context: default-context`
			`kind: Config`
			`preferences: {}`
			`users:`
			`- name: myself`
			`user:`
Update kubeconfig-file doc. Remove the '.' in references to '.kubeconfig file' to avoid confusion as default location is now ~/.kube/config. Also remove auth-path examples, as that option is deprecated and should not be used. 2015-05-05 18:36:22 +00:00			`username: admin`
			`password: secret`
add kubectl config 2014-12-17 13:03:03 +00:00			```

			`#### Commands for the example file`
			```
			`$kubectl config set preferences.colors true`
Updating docs/ to v1 2015-06-05 19:47:15 +00:00			`$kubectl config set-cluster cow-cluster --server=http://cow.org:8080 --api-version=v1`
add kubectl config 2014-12-17 13:03:03 +00:00			`$kubectl config set-cluster horse-cluster --server=https://horse.org:4443 --certificate-authority=path/to/my/cafile`
			`$kubectl config set-cluster pig-cluster --server=https://pig.org:443 --insecure-skip-tls-verify=true`
			`$kubectl config set-credentials blue-user --token=blue-token`
			`$kubectl config set-credentials green-user --client-certificate=path/to/my/client/cert --client-key=path/to/my/client/key`
			`$kubectl config set-context queen-anne-context --cluster=pig-cluster --user=black-user --namespace=saw-ns`
			`$kubectl config set-context federal-context --cluster=horse-cluster --user=green-user --namespace=chisel-ns`
			`$kubectl config use-context federal-context`
Add documentation on legacy kubernetes_auth file to kubeconfig-file.md 2015-03-04 22:16:04 +00:00			```
Add ga-beacon analytics to gendocs scripts hack/run-gendocs.sh puts ga-beacon analytics link into all md files, hack/verify-gendocs.sh verifies presence of link. 2015-05-14 22:12:45 +00:00

			`[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/kubeconfig-file.md?pixel)]()`