Overview
Kubeconfig files contain:- Cluster API server endpoints
- Authentication credentials (tokens or certificates)
- Cluster CA certificates for TLS verification
- Context configuration for kubectl
- kubectl CLI access to managed clusters
- Programmatic API access via client libraries
- Integration with CI/CD pipelines
- Development tooling and IDE integrations
Cluster Action
The kubeconfig generation action is defined in/home/daytona/workspace/source/pkg/apis/management.cattle.io/v3/cluster_types.go:30:
/home/daytona/workspace/source/pkg/apis/management.cattle.io/v3/cluster_types.go:321):
Generating Kubeconfig
Via Rancher UI
~/.kube/config or a custom locationVia Rancher API
Generate kubeconfig via API:Kubeconfig Generation Process
The generation is implemented in/home/daytona/workspace/source/pkg/api/norman/customization/cluster/actions_kubeconfig.go:17.
kind: "kubeconfig"kubeconfig-{username}settings.KubeconfigDefaultTokenTTLMilliSecondsToken creation is handled differently based on the cluster’s local authentication endpoint configuration:
ensureClusterToken()ensureToken()With local cluster auth endpoint (defined at
/home/daytona/workspace/source/pkg/apis/management.cattle.io/v3/cluster_types.go:385):apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: {CLUSTER_CA}
server: https://{NODE_IP}:6443
name: {CLUSTER_NAME}
contexts:
- context:
cluster: {CLUSTER_NAME}
user: {CLUSTER_NAME}
name: {CLUSTER_NAME}
current-context: {CLUSTER_NAME}
users:
- name: {CLUSTER_NAME}
user:
token: {TOKEN}
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: {RANCHER_CA}
server: https://{RANCHER_URL}/k8s/clusters/{CLUSTER_ID}
name: {CLUSTER_NAME}
contexts:
- context:
cluster: {CLUSTER_NAME}
user: {CLUSTER_NAME}
name: {CLUSTER_NAME}
current-context: {CLUSTER_NAME}
users:
- name: {CLUSTER_NAME}
user:
token: {TOKEN}
Access Patterns
Direct Cluster Access
When clusters have Local Cluster Auth Endpoint enabled:- Points directly to cluster API server (typically
https://{NODE_IP}:6443) - Uses cluster’s native CA certificates
- Bypasses Rancher for API requests
- Provides lower latency
- Requires network connectivity to cluster nodes
- Accessing clusters from within the same network
- High-performance kubectl operations
- Reducing load on Rancher server
Proxied Access (Default)
When local auth endpoint is disabled: The kubeconfig:- Points to Rancher server endpoint (
https://{RANCHER_URL}/k8s/clusters/{CLUSTER_ID}) - Rancher proxies all requests to the cluster
- Uses Rancher’s CA certificates
- Works from any location that can reach Rancher
- Requires Rancher to be available
- Accessing clusters across networks/firewalls
- Clusters without publicly accessible API servers
- Centralized audit logging through Rancher
- Consistent access regardless of cluster location
Token Management
Listing Tokens
View your kubeconfig tokens:- Click your User Avatar
- Select API & Keys
- Filter by Description: “Kubeconfig token”
Revoking Tokens
Remove a kubeconfig token:- Navigate to API & Keys
- Find the token
- Click Delete
Token Rotation
Rotate tokens periodically for security:- Generate a new kubeconfig from Rancher
- Update your
~/.kube/configwith the new configuration - Verify connectivity:
kubectl cluster-info - Delete the old token
Token TTL Configuration
Configure default token TTL (Time To Live):kubeconfig-generate-token: Enable/disable token generation (default:true)kubeconfig-default-token-ttl-minutes: Default TTL in minutes
Multi-Cluster Access
Manage multiple clusters in a single kubeconfig:Merge Kubeconfig Files
Switch Contexts
Set Context Defaults
Programmatic Access
Use generated kubeconfig with Kubernetes client libraries:Go Client
Python Client
Security Best Practices
- Protect kubeconfig files: Treat as sensitive credentials
- File permissions:
chmod 600 ~/.kube/config - No version control: Never commit kubeconfig to git repositories
- Token rotation: Rotate tokens every 30-90 days
- Minimal scope: Request tokens with minimum required permissions
- Audit access: Monitor token usage in Rancher audit logs
- Revoke unused tokens: Clean up old tokens regularly
Troubleshooting
”Unable to connect to the server”
- Network connectivity: Verify you can reach the cluster endpoint
- Token expiration: Generate a new kubeconfig if token expired
- Rancher availability: Ensure Rancher server is accessible (for proxied access)
“Unauthorized” or “Forbidden” errors
- Token validity: Verify token hasn’t been revoked
- RBAC permissions: Check your user’s cluster role bindings
- Cluster access: Confirm you have permission to access the cluster
Certificate verification failures
- CA certificate mismatch: Regenerate kubeconfig after certificate rotation
- Custom CA certificates: Ensure custom CAs are correctly configured
- Certificate expiration: Check cluster certificate validity
Context not found
- Merged configs: Verify context exists:
kubectl config get-contexts - File corruption: Validate YAML syntax:
yamllint ~/.kube/config - Regenerate: Download a fresh kubeconfig from Rancher