You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/docs/reference/kubectl/overview.md
+26Lines changed: 26 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -71,6 +71,32 @@ Flags that you specify from the command line override default values and any cor
71
71
72
72
If you need help, run `kubectl help` from the terminal window.
73
73
74
+
## In-cluster authentication and namespace overrides
75
+
76
+
By default `kubectl` will first determine if it is running within a pod, and thus in a cluster. It starts by checking for the `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` environment variables and the existence of a service account token file at `/var/run/secrets/kubernetes.io/serviceaccount/token`. If all three are found in-cluster authentication is assumed.
77
+
78
+
To maintain backwards compatibility, if the `POD_NAMESPACE` environment variable is set during in-cluster authentication it will override the default namespace from the from the service account token. Any manifests or tools relying on namespace defaulting will be affected by this.
79
+
80
+
**`POD_NAMESPACE` environment variable**
81
+
82
+
If the `POD_NAMESPACE` environment variable is set, cli operations on namespaced resources will default to the variable value. For example, if the variable is set to `seattle`, `kubectl get pods` would return pods in the `seattle` namespace. This is because pods are a namespaced resource, and no namespace was provided in the command. Review the output of `kubectl api-resources` to determine if a resource is namespaced.
83
+
84
+
Explicit use of `--namespace <value>` overrides this behavior.
85
+
86
+
**How kubectl handles ServiceAccount tokens**
87
+
88
+
If:
89
+
* there is Kubernetes service account token file mounted at
90
+
`/var/run/secrets/kubernetes.io/serviceaccount/token`, and
91
+
* the `KUBERNETES_SERVICE_HOST` environment variable is set, and
92
+
* the `KUBERNETES_SERVICE_PORT` environment variable is set, and
93
+
* you don't explicitly specify a namespace on the kubectl command line
94
+
then kubectl assumes it is running in your cluster. The kubectl tool looks up the
95
+
namespace of that ServiceAccount (this is the same as the namespace of the Pod)
96
+
and acts against that namespace. This is different from what happens outside of a
97
+
cluster; when kubectl runs outside a cluster and you don't specify a namespace,
98
+
the kubectl command acts against the `default` namespace.
99
+
74
100
## Operations
75
101
76
102
The following table includes short descriptions and the general syntax for all of the `kubectl` operations:
0 commit comments