Kubernetes Communication: Humans, Pipelines, and the API Server

PostedDecember 26, 2021

UpdatedFebruary 12, 2026

Author -Rajkumar Aute

Think of a Kubernetes cluster as a highly secured, automated data center. You cannot just walk in and start moving servers around. You need a secure way to send instructions. Whether you are a human (Developer/DevOps Engineer) or a machine (CI/CD Pipeline), you never talk to the “cluster” directly. You talk to a specific gatekeeper called the API Server.

To talk to this gatekeeper, you need a tool (like kubectl) and an ID card (your Kubeconfig file) that proves who you are and what you are allowed to do.

Imagine a High-Security Bank:

The Cluster: The Bank Vault where money (Applications) is kept.
The API Server: The Bank Teller. They are the only ones allowed to take your request and talk to the vault.
Kubectl: The English Language (or Interface) you use to speak to the Teller.
Kubeconfig: Your Passbook and ID Card. It tells the Teller which bank branch (Cluster) you are visiting, who you are (User), and your signature (Credentials).
The Pipeline: A Robot that comes to the bank. It doesn’t have a Passbook; it has a special employee badge (Service Account) to do specific automated tasks.
RBAC (Role-Based Access Control): The bank’s rule that says, “You can only withdraw from your account, not the bank’s vault.”

Key Characteristics to Remember

Everything is an API Call: Every time you type kubectl get pods, you are actually sending a strictly formatted HTTPS request (like a website click) to the API Server.
Kubeconfig is Key: Your ~/.kube/config file holds the keys to the kingdom. It connects three things: Clusters (Where), Users (Who), and Contexts (Which pair of Who + Where).
Pipelines use Service Accounts: Humans use User Accounts (often tied to email/LDAP); Pipelines use Service Accounts (tied to the cluster namespace).
Declarative: You tell Kubernetes what you want (e.g., “I want 3 pods”), not just how to do it.
RESTful: All communication happens via HTTP/HTTPS requests (GET, POST, PUT, DELETE).
Secure: Every request is authenticated (Who are you?), authorized (Can you do this?), and admitted (Is this request safe?).

Component	Role in Communication	Simple Definition
kubectl	The Client Tool	The command-line interface (CLI) used to send orders.
kube-apiserver	The Target	The “brain” that receives and processes all requests.
kubeconfig	The Credentials	A file (usually at `~/.kube/config`) storing cluster URL, user, and token/cert.
ServiceAccount	Robot Identity	Identity used by pods and pipelines (Jenkins/GitLab) to talk to K8s.
RBAC	The Rules	Role-Based Access Control defining permissions (Read-only vs Admin).

The Workflow:

The Request: You type kubectl get pods.
Locating Creds: kubectl looks for your kubeconfig file to find the API server URL and your authentication token (or certificate).
Transmission: kubectl sends an HTTPS request to the API Server.
Authentication (AuthN): The API Server checks, “Is this a valid user?” using the token/cert.
Authorization (AuthZ): The API Server checks, “Does this user have permission to ‘get’ ‘pods’?” using RBAC roles.
Admission Control: If you are creating something, the server checks policies (like resource quotas).
Execution: If all green, the API Server queries etcd (the database) and returns the answer to your screen.

The most important tool to master is kubectl. It is the standard way to interact with Kubernetes. You don’t need to memorize every command, but you must understand how to configure it.

Setup: You must install kubectl on your local machine.
- htt ps://kubernetes.io/docs/tasks/tools/
The Config File: The kubeconfig file is vital. It contains three parts:
1. Clusters: Where is it? (URL, Certificate Authority data).
2. Users: Who is connecting? (Client certs, tokens).
3. Contexts: A combination of a specific Cluster + a specific User.
Visual Tools: If the command line is scary initially, you can use GUIs.
- https://k8slens.dev/ – The Kubernetes IDE.
- https://k9scli.io/ – A terminal-based UI (highly recommended for speed).

At an architect level, we move beyond simple kubeconfig files. We focus on Zero Trust and Automated Pipelines.

Identity Providers (OIDC): Instead of static certificates (which are hard to revoke), we integrate Kubernetes with OIDC providers like Google, Okta, or Azure AD. This allows you to log in with your corporate email.
- https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens
Pipeline Security:
- CI/CD Integration: Pipelines (Jenkins, GitHub Actions) should never use a human’s kubeconfig. They must use a ServiceAccount with a bound RBAC Role limited strictly to the namespace they deploy to (Principle of Least Privilege).
- Short-lived Tokens: Use the TokenRequest API to generate short-lived tokens for pipelines rather than permanent secrets.
- https://github.com/int128/kubelogin – A kubectl plugin for Kubernetes OpenID Connect authentication.

Common Issues, Problems, and Solutions

Problem	Likely Cause	Solution
“x509: certificate signed by unknown authority”	Missing CA data in kubeconfig.	Ensure `certificate-authority-data` is correct in your config file.
“You must be logged in to the server”	Token expired or missing.	Re-authenticate (e.g., `aws eks get-token` or refresh OIDC login).
“Forbidden: User cannot list resource”	RBAC permission denied.	Check your Role and RoleBinding. Ask admin to grant access.
Connection Refused	Wrong API URL.	Check the `server` IP/URL in `kubectl config view`.

https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig

https://kubernetes.io/docs/reference/access-authn-authz/authorization

The kubeconfig file

Think of kubeconfig as a VPN Client Configuration.

Cluster: The VPN Server IP address.
User: Your username and password/certificate.
Context: The “Connect” button that picks which server and which user credentials to use right now.

Easy Remember Cheat Sheet

Cluster = WHERE: Where is the API Server located? (IP/URL + CA Cert).
User = WHO: Who is connecting? (Client Cert/Key or Token).
Context = WHICH: Which pair of (Cluster + User) should I use right now?
Current-Context = NOW: The active switch setting.

YAML Format: It is always a YAML file.
Multiple Entries: One file can store access to many different clusters.
Security: It often contains sensitive keys or tokens. Never share this file publicly!

Command	Definition	When to use it?
`kubectl config view`	Show Me	When you want to see your config file content.
`kubectl config get-contexts`	List Options	To see all available clusters/users you can switch to.
`kubectl config use-context`	Switch	To change your active cluster (e.g., from Dev to Prod).
`kubectl config set-context`	Edit/Create	To create a new context or change a default namespace.
`kubectl config current-context`	Check Status	To ask “Which cluster am I talking to right now?”

https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#config

Kubeconfig Example

Kubeconfig Configuration


apiVersion: v1
kind: Config
preferences: {}

# ---------------------------------------------------------
# 1. CLUSTERS (The "Address Book")
# Defines WHERE the Kubernetes API servers are located.
# ---------------------------------------------------------
clusters:
- cluster:
    # certificate-authority-data: The public CA cert of the cluster.
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tC... 
    # The endpoint for your EKS API server.
    server: https://10.100.0.1:6443 
  name: production-eks

- cluster:
    insecure-skip-tls-verify: true
    server: https://127.0.0.1:32768
  name: local-minikube

# ---------------------------------------------------------
# 2. USERS (The "Passports")
# Defines WHO is communicating.
# ---------------------------------------------------------
users:
- name: king-user
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: aws
      args:
        - "eks"
        - "get-token"
        - "--cluster-name"
        - "EKS cluster"
        - "--region"
        - "us-east-1"
      env:
        - name: AWS_PROFILE
          value: "default"

# ---------------------------------------------------------
# 3. CONTEXTS (The "Itinerary")
# ---------------------------------------------------------
contexts:
- context:
    cluster: production-eks
    user: king-user
    namespace: default
  name: devsecops-prod-context

current-context: devsecops-prod-context

Tech should learn

AWS(Draft)

AWS-Cloud-Tech

AWS-Compute

DevOps Essentials

DevSecOps Essentials(Draft)

Programming

Python

CI/CD

GitHub Actions

Kubernetes (Draft)

The Foundation

Kubernetes Architecture

Kubernetes Setting Up the Lab

Kubernetes Core Workloads

Docker