search
Ctrlk

Kubeconfig

Kubeconfig is a configuration file that allows the kubectl tool to authenticate and connect to your Kubernetes Cluster. Each kubeconfig file contains cluster information (API server address), authentication credentials (client certificate), and a context that identifies which cluster is being used.

On VKS, the kubeconfig file uses the Client Certificate mechanism for authentication. You can actively choose the certificate validity period when downloading, providing better security control.

circle-info

Note for IAM-user accounts:

Before working with kubeconfig, an IAM-user account must be granted all of the permissions below (admins should grant these once, upfront):

Permission
Purpose
Used in step

RequestKubeconfig

Request the issuance of a kubeconfig

Download Kubeconfig

AcknowledgeKubeConfigWarningRenew

Acknowledge ("mark as read") the auto-renew kubeconfig notification from the system

Renew Certificate β€” Automatic renewal

hashtag
Download Kubeconfig

IAM-user accounts require the RequestKubeconfig permission β€” see Note for IAM-user accounts at the top of the page.

Step 1: Go to https://vks.console.vngcloud.vn/overviewarrow-up-right

Step 2: On the Overview screen, select the Kubernetes Cluster menu.

Step 3: At the Cluster you want to get the kubeconfig for, click the Action icon and select Download Config File.

Step 4: The system displays a confirmation popup. Here, select the certificate validity period for the kubeconfig:

Validity Period
Description

30 days

Suitable for staging, testing environments, or temporary access

90 days

Suitable for production environments with periodic rotation cycles

365 days

Suitable for cases requiring long-term kubeconfig, needs careful management

circle-exclamation

Security notes:

  • The kubeconfig file grants cluster-admin privileges to the holder. Do not share this file with unauthorized individuals.

  • If you need to revoke the certificate before it expires, please contact the VKS support team for assistance.

  • If the kubeconfig file is compromised, contact the VKS support team immediately for timely handling.

Step 5: Click Confirm to download. The config file will be saved to your machine.

hashtag
Configure kubectl to Use Kubeconfig

After downloading the kubeconfig file, you need to place it in the correct location for kubectl to recognize.

Step 1: Create the .kube directory if it does not exist:

Step 2: Move the downloaded kubeconfig file to the .kube directory and name it config:

Step 3: Verify the connection to the Cluster:

If the connection is successful, you will see the list of nodes in your Cluster.

circle-info

Using multiple Clusters at once:

If you need to manage multiple Clusters, you can place the kubeconfig file in a different location and specify the path when running the command:

Or set an environment variable:

hashtag
Managing Certificate Validity

hashtag
View the current certificate expiry

Method 1: View on Portal

When clicking Download Config File on the Kubernetes Cluster screen, the system displays a kubeconfig information popup that includes the certificate validity period. You can view the expiry date directly here before downloading.

Method 2: Check via command

To check the validity period of the certificate in the kubeconfig file currently in use, run the following command:

The output will display notBefore (start date) and notAfter (expiry date) of the certificate.

hashtag
Renew Certificate

When the certificate is about to expire (within 7 days), the VKS system will send you a notification. At that point, you can:

  • Automatic renewal: The system automatically renews the certificate if conditions are met. You will receive a confirmation notification when the process is complete. &#xNAN;IAM-user accounts require the AcknowledgeKubeConfigWarningRenew permission to acknowledge the auto-renew notification β€” see Note for IAM-user accounts at the top of the page.

  • Manual renewal: If the system cannot automatically renew, you will see a Renew button in the notification. Click Renew for the system to issue a new certificate.

circle-info

Note:

After renewal, you need to download the new kubeconfig file and replace the old one. The certificate will continue to work until the old one expires after renewal.

hashtag
Re-download New Kubeconfig

Repeat the steps in the Download Kubeconfig section to get a new kubeconfig file with a valid certificate.

hashtag
Kubeconfig Security

Below are security recommendations when using kubeconfig on VKS:

  • Do not commit the kubeconfig file to a source code repository (Git, GitLab, etc.). Add ~/.kube/config to the project's .gitignore.

  • Restrict file access permissions: Ensure only the current user can read the kubeconfig file:

  • Choose an appropriate certificate validity period: Avoid using 365-day certificates for all use cases. Prefer 30 or 90 days and rotate periodically.

hashtag
Create a Read-only Kubeconfig

The default kubeconfig downloaded from VKS grants cluster-admin β€” full privileges on the cluster. If you need to grant access to other users (developers, auditors, etc.) with view-only permissions and no edit rights, create a separate kubeconfig with view permissions.

The guide below creates a read-only kubeconfig for the user readonly-user. You can replace this name as needed.

hashtag
Step 1 β€” Generate private key and CSR

hashtag
Step 2 β€” Create a CertificateSigningRequest in Kubernetes

Step 2a β€” Encode the CSR to base64

Step 2b β€” Create the YAML file

Step 2c β€” Apply the file

hashtag
Step 3 β€” Approve the CSR

hashtag
Step 4 β€” Retrieve the signed certificate

hashtag
Step 5 β€” Bind RBAC for the user

hashtag
Step 6 β€” Create the kubeconfig file

Step 6a β€” Retrieve cluster information

Step 6b β€” Create the kubeconfig file

The user only needs one file: readonly-kubeconfig.yaml.

hashtag
Step 7 β€” Delete temporary files

circle-exclamation

The .key (private key) file has been embedded into readonly-kubeconfig.yaml as client-key-data. Delete the original .key file to prevent private key leakage.

hashtag
Step 8 β€” Verify

hashtag
Revoking Access

hashtag
Delete ClusterRoleBinding β€” required

Deleting the ClusterRoleBinding β†’ the user immediately loses access, even if the certificate is still valid.

hashtag
Delete CSR β€” optional (cleanup)

The CSR is only an object that stores the history of the certificate signing process. Deleting the CSR does not affect the signed certificate β€” it is only to avoid leaving residual objects in the cluster.

circle-info

Important note:

Kubernetes does not have a certificate revocation mechanism. If the user still holds the kubeconfig file, the certificate remains valid until it expires. Deleting the ClusterRoleBinding is the only way to immediately block access.

circle-exclamation

Recommendation for customers:

  • Do not delete the ClusterRoleBinding of the cluster unless you are certain you want to permanently revoke access.

  • If you accidentally delete the ClusterRoleBinding and cannot connect to the cluster, please contact the VKS support team for assistance in creating a new kubeconfig.

Action
Delete ClusterRoleBinding
Delete CSR

User loses access immediately?

Yes

No

Purpose

Revoke access

Cleanup

Required?

Required

Optional

PreviousStop POCNextNode Groups

Last updated