ConfigMaps in Kube System

Most of the ConfigMaps (cm) you see in kube-system are not created manually but generated automatically during cluster bootstrapping (via kubeadm, add-ons, or the control plane components themselves). Letโ€™s break them down one by one so you can see how theyโ€™re formed and what files/configs contributed:

๐Ÿ“Œ Breakdown of ConfigMaps in kube-system

  1. canal-config

  2. Created by: Calico/Canal CNI plugin when deployed.

  3. Source: The YAML manifest you applied for Canal includes a ConfigMap defining network settings (like CNI conf, Felix, etc.).

  4. Example: It usually contains CNI network settings (pod CIDR, backend type, etc.).

  5. coredns

  6. Created by: The CoreDNS add-on deployed by kubeadm.

  7. Source: From the CoreDNS YAML manifest (/etc/kubernetes/addons/coredns.yaml or downloaded from k8s.gcr.io).

  8. Contents: The CoreDNS Corefile, which defines DNS server configuration.

  9. extension-apiserver-authentication

  10. Created by: kube-apiserver.

  11. Source: kube-apiserver writes it automatically when it starts.

  12. Contents: Authentication-related config (client CA, request header settings) used by aggregated API servers (like metrics-server).

  13. kube-apiserver-legacy-service-account-token-tracking

  14. Created by: kube-apiserver.

  15. Purpose: Helps track usage of legacy service account tokens.

  16. Source: Internal kube-apiserver process, not from a manifest.

  17. kube-proxy

  18. Created by: kubeadm when deploying the kube-proxy DaemonSet.

  19. Source: Generated from kubeadm-config during kubeadm init.

  20. Contents: Proxy mode, cluster CIDR, iptables/ipvs config, etc.

  21. kube-root-ca.crt

  22. Created by: The Controller Manager.

  23. Source: Automatically injected into every namespace so pods can talk to the API server securely.
  24. Contents: Cluster root CA certificate.

  25. cat /etc/kubernetes/pki/ca.crt

  26. kubeadm-config

  27. Created by: kubeadm during kubeadm init.

  28. Source: Whatever you passed in your kubeadm init config file (like ClusterConfiguration, InitConfiguration).

  29. Contents: Cluster-wide settings (API server, networking, certificates directory, etc.).

  30. kubelet-config

  31. Created by: kubeadm.

  32. Source: Derived from your kubeadm init configuration.
  33. Contents: The Kubeletโ€™s configuration (cgroup driver, TLS settings, cluster DNS, etc.).
  34. Used by the kubelet-config-x.y ConfigMap, which kubeadm uses for upgrading kubelet configs.
  35. cat /var/lib/kubelet/config.yaml

โš™๏ธ So, how are they formed?

  • kubeadm init generates some (kubeadm-config, kubelet-config, kube-proxy).
  • Add-ons you applied (like Canal, CoreDNS) create their own ConfigMaps from YAML manifests.
  • Control plane components (kube-apiserver, controller-manager) create and maintain some automatically (extension-apiserver-authentication, kube-root-ca.crt, etc.).

๐Ÿ‘‰ So yes, youโ€™re right โ€” some came from files you (or kubeadm) applied, others are generated dynamically by the control plane.

๐Ÿ“Œ ConfigMaps in kube-system (CKA Prep)

ConfigMap Who Creates It Source Type Where Values Come From / File Path What You Might Need It For in CKA
canal-config Canal (CNI) add-on Literal YAML (inline) Part of canal.yaml manifest (downloaded/applied) Check Pod CIDR, CNI backend configs
coredns CoreDNS add-on Literal YAML (inline) From the coredns.yaml addon manifest (applied by kubeadm) Confirm cluster DNS IP (.spec.dnsPolicy, stubDomains, etc.)
extension-apiserver-authentication kube-apiserver Files From /etc/kubernetes/pki/ca.crt, /etc/kubernetes/pki/front-proxy-ca.crt, request-header args Needed if troubleshooting auth for metrics-server / API aggregation
kube-apiserver-legacy-service-account-token-tracking kube-apiserver Internal (runtime state) Generated internally by API server Rarely needed; can be ignored in CKA
kube-proxy kubeadm Literal (generated) Derived from ClusterConfiguration in kubeadm โ†’ applied as ConfigMap Check mode (iptables/ipvs), cluster CIDR, proxy settings
kube-root-ca.crt kube-controller-manager File From /etc/kubernetes/pki/ca.crt (cluster CA) Verify cluster CA being injected into pods; cert troubleshooting
kubeadm-config kubeadm Literal (or file if you passed one) - If you gave kubeadm a config file โ†’ itโ€™s stored here.
- If not โ†’ kubeadmโ€™s defaults are written here.		 Useful to check podSubnet, serviceSubnet, image repo, etc.
kubelet-config kubeadm Literal (generated) kubeadm renders kubelet defaults into ConfigMap (kubelet-config-x.y) Inspect kubelet params: cgroupDriver, cluster DNS, TLS, etc.

๐ŸŽฏ Exam Angle (CKA)

  • If the question asks you to confirm Pod CIDR / Service CIDR โ†’ ๐Ÿ” kubectl get cm kubeadm-config -n kube-system -o yaml

  • If you need DNS cluster IP or DNS config โ†’ ๐Ÿ” kubectl get cm coredns -n kube-system -o yaml

  • If troubleshooting CNI networking โ†’ ๐Ÿ” kubectl get cm canal-config -n kube-system -o yaml

  • If checking kubelet configuration โ†’ ๐Ÿ” kubectl get cm kubelet-config -n kube-system -o yaml

  • If dealing with API aggregation / metrics-server errors โ†’ ๐Ÿ” kubectl get cm extension-apiserver-authentication -n kube-system -o yaml

โšก So the shortcut for CKA is:

  • Cluster networking values โ†’ kubeadm-config, canal-config
  • Cluster DNS values โ†’ coredns
  • Kubelet params โ†’ kubelet-config
  • Certs/aggregation โ†’ extension-apiserver-authentication, kube-root-ca.crt

๐Ÿ“Œ kube-proxy Config Summary (CKA Prep)

  1. Where does the config come from?

  2. kube-proxy uses a ConfigMap in the kube-system namespace called kube-proxy.

  3. This ConfigMap has two keys:

    • config.conf โ†’ KubeProxyConfiguration (mode: iptables/ipvs, clusterCIDR, etc.)
    • kubeconfig.conf โ†’ kubeconfig for talking to the API server.

  4. Are these real files on the host?

  5. โŒ No.

  6. On the host node, /var/lib/kube-proxy/ does not exist.

  7. These keys are mounted as virtual files only inside the kube-proxy Pod container.

  8. Where do they appear?

  9. Inside each kube-proxy Pod at:

    /var/lib/kube-proxy/config.conf
/var/lib/kube-proxy/kubeconfig.conf
    * Mounted by the DaemonSet from the kube-proxy ConfigMap. * Thatโ€™s why the containerโ€™s --config flag points to /var/lib/kube-proxy/config.conf.

  10. How to inspect them?

  11. From the cluster (fastest):

    kubectl -n kube-system get cm kube-proxy -o yaml
    * From inside a Pod (runtime view):

    kubectl -n kube-system exec -it <kube-proxy-pod> -- cat /var/lib/kube-proxy/config.conf

  12. CKA exam angle:

  13. If asked about proxy mode, clusterCIDR, or how kube-proxy connects to the API server โ†’ check the kube-proxy ConfigMap.

  14. Donโ€™t waste time searching /etc/kubernetes/ or /var/lib/ on the host โ€” these files only live in the kube-proxy Pod.

โœ… Final takeaway: config.conf and kubeconfig.conf are not host files. They are keys in the kube-proxy ConfigMap, which Kubernetes mounts into the kube-proxy Pods at /var/lib/kube-proxy/. To check them in the exam, read the ConfigMap (kubectl get cm) or exec into a kube-proxy Pod โ€” not on the host.