⌂ Home

Kubeconfig & Contexts

How kubectl knows which cluster to talk to, which credentials to use, and which namespace to default to — and how you switch between them.

A context is a named triple of cluster + user + namespace. Your kubeconfig file (~/.kube/config) stores one or more contexts, and kubectl config use-context selects the active one. Every subsequent kubectl command targets that combination automatically.

Core Model

What Is a Context?

Cluster

The API server endpoint and CA certificate. Represents where to connect — dev, staging, production, or a local Kind cluster.

User

The credentials to authenticate — a client certificate, bearer token, OIDC token, or exec-based credential plugin. Represents who you are.

Namespace

The default namespace for commands that don't specify --namespace. Represents where within the cluster you operate by default.

Context = Cluster + User + Namespace

A named grouping of all three. Switch contexts to jump between clusters, users, or namespaces in a single command — no file editing needed.

Kubeconfig file

A YAML file (default: ~/.kube/config) that stores all clusters, users, and contexts. You can merge multiple files using the KUBECONFIG environment variable.

current-context

The active context. Every kubectl command uses this unless you override with --context or --kubeconfig flags.

Why it matters: In production environments you manage dev, staging, and prod clusters — often with different users and permissions for each. Contexts let you switch safely without accidentally running commands against the wrong cluster.
File Anatomy

Kubeconfig Structure

apiVersion: v1 kind: Config # ── Clusters: API server endpoints ── clusters: - name: dev-cluster cluster: server: https://dev.k8s.example.com:6443 certificate-authority-data: <base64-ca-cert> - name: prod-cluster cluster: server: https://prod.k8s.example.com:6443 # ── Users: authentication credentials ── users: - name: dev-admin user: client-certificate-data: <base64-cert> client-key-data: <base64-key> - name: prod-readonly user: token: <bearer-token> # ── Contexts: named cluster + user + namespace ── contexts: - name: dev-context context: cluster: dev-cluster user: dev-admin namespace: development - name: prod-context context: cluster: prod-cluster user: prod-readonly namespace: production # ── Active context ── current-context: dev-context
Tip: Run kubectl config view to see your actual kubeconfig (secrets redacted). Use kubectl config view --raw to see raw credentials.
Lifecycle

Context Switching Flow

1

View available contexts

kubectl config get-contexts lists all contexts. The * marks the active one.

2

Switch context

kubectl config use-context prod-context changes the active context. All subsequent commands target that cluster + user + namespace.

3

Verify

kubectl config current-context confirms the switch. kubectl get nodes proves connectivity to the new cluster.

4

Work in the context

Commands default to the context's namespace. kubectl get pods shows pods in production (or whatever namespace is set).

5

Change namespace (optional)

kubectl config set-context --current --namespace=staging changes only the default namespace without switching clusters or users.

Safety tip: Always run kubectl config current-context before executing destructive commands (delete, scale to 0, drain). Accidentally targeting production instead of dev is one of the most common Kubernetes mistakes.
Reference

kubectl config Commands

CommandWhat it does
kubectl config current-contextPrint the name of the active context
kubectl config get-contextsList all contexts with cluster, user, namespace columns
kubectl config use-context <name>Switch to a different context
kubectl config set-context <name> --cluster=... --user=... --namespace=...Create or update a context
kubectl config set-context --current --namespace=<ns>Change default namespace for the current context
kubectl config rename-context <old> <new>Rename a context
kubectl config delete-context <name>Remove a context from kubeconfig
kubectl config viewShow full kubeconfig (secrets redacted)
kubectl config view --minifyShow only the active context's cluster, user, and namespace
kubectl config view --rawShow full kubeconfig with raw secrets
kubectl config get-clustersList all cluster entries
kubectl config get-usersList all user entries
kubectl config set-credentials <name> --token=...Add or update user credentials
kubectl config unset users.<name>Remove a user entry
kubectl config unset clusters.<name>Remove a cluster entry
Pro tip: Use export KUBECONFIG=~/.kube/dev:~/.kube/prod to merge multiple kubeconfig files. All clusters, users, and contexts from both files become available.
Real-World Patterns

Common Scenarios

Multi-environment switching (dev / staging / prod)

Create a context per environment, each pointing to a different cluster and namespace. Switch with a single command or shell alias.

# Create contexts
kubectl config set-context dev --cluster=dev-cluster --user=admin --namespace=dev
kubectl config set-context staging --cluster=staging-cluster --user=admin --namespace=staging
kubectl config set-context prod --cluster=prod-cluster --user=prod-reader --namespace=production

# Switch
kubectl config use-context staging

# Aliases for speed
alias kdev="kubectl config use-context dev"
alias kstg="kubectl config use-context staging"
alias kprod="kubectl config use-context prod"

RBAC testing with a limited user

Create a service account with limited permissions, generate a token, wire it into a new context, and switch to verify what's allowed vs forbidden.

# Get a scoped token
SA_TOKEN=$(kubectl create token test-user -n rbac-test --duration=1h)

# Wire credentials + context
kubectl config set-credentials test-user --token=$SA_TOKEN
kubectl config set-context test-user-ctx \
  --cluster=$(kubectl config view -o jsonpath='{.clusters[0].name}') \
  --user=test-user --namespace=rbac-test

# Switch and test
kubectl config use-context test-user-ctx
kubectl get pods          # allowed
kubectl get deployments   # forbidden
kubectl auth can-i create pods   # no

Namespace-scoped work

Instead of typing --namespace=kube-system every time, set the default namespace on your current context.

# Change default namespace
kubectl config set-context --current --namespace=kube-system

# Now kubectl get pods shows kube-system pods
kubectl get pods

# Reset to default
kubectl config set-context --current --namespace=default

Merging kubeconfig from multiple clusters

When you receive kubeconfig files from different cluster admins, merge them via the KUBECONFIG variable.

# Merge two files
export KUBECONFIG=~/.kube/dev-config:~/.kube/prod-config

# See all merged contexts
kubectl config get-contexts

# Flatten into a single file (optional)
kubectl config view --flatten > ~/.kube/merged-config
Hands-On

Try It Yourself

Exercise 1

Explore your kubeconfig: Run kubectl config get-contexts, kubectl config current-context, and kubectl config view --minify. Identify your cluster, user, and default namespace.

Exercise 2

Create 3 contexts: Create dev, staging, and prod namespaces, then create a context for each pointing to that namespace. Switch between them and verify with kubectl get pods.

Exercise 3

Change default namespace: Set the current context's namespace to kube-system. Run kubectl get pods to see system pods. Reset to default.

Exercise 4

RBAC context test: Create a ServiceAccount with a pod-reader Role. Generate a token, create a context for that user, switch, and test kubectl get pods vs kubectl get deployments.

Exercise 5

Export and merge: Export your current context to a separate file with kubectl config view --minify --flatten > /tmp/ctx.yaml. Set KUBECONFIG to merge both files and verify.

Exercise 6

Cleanup: Rename a context with rename-context, then delete all test contexts and namespaces. Verify with get-contexts.

Lab manual: For complete step-by-step instructions, see Lab 61: Kubeconfig and Context Management. For RBAC-specific context switching with client certificates, see Lab 11: RBAC Security.