Toolery

Kubeconfig Manager

Manage Kubernetes kubeconfig files securely in your browser

Privacy Notice: All processing happens in your browser. Your kubeconfig never leaves your device.

Drop kubeconfig file(s) here or click to upload

Accepts .yaml, .yml, .conf, .config or any text file. Drop multiple to auto-merge.

OR paste your kubeconfig

How to Use

  1. Drop or paste a kubeconfig YAML — parsing runs in your browser
  2. Review contexts, switch current-context, or delete unused ones
  3. Add another file to merge; conflicts get auto-renamed
  4. Run Cleanup to drop orphan clusters/users; export the result

Kubeconfig FAQ

What actually happens when I "merge" two kubeconfigs?

The official way is KUBECONFIG=~/.kube/config:other.yaml kubectl config view --flatten. kubectl concatenates the lists under clusters, users, and contexts, and — critically — the first occurrence of any name wins. If both files define a context called prod, only one survives. This tool renames duplicates instead of silently dropping them.

Can I have multiple clusters with the same context name?

No. Context names are the lookup key — they must be unique. What you can do is point multiple contexts at the same cluster entry with different users or namespaces, e.g. prod-read and prod-admin sharing one cluster.

Why is my kubeconfig getting huge?

Two usual suspects. First, certificate-authority-data is a base64-encoded CA cert — typically around 1.5–2 KB per cluster. Twenty EKS clusters is 40 KB just in CA data. Second, tools like gcloud and aws eks update-kubeconfig happily re-append entries even when they already exist. Running Cleanup once a quarter keeps the file readable.

Do embedded client certificates expire?

Yes — that's why the "unable to connect: x509: certificate has expired" error is so common. EKS's default cluster CA is valid 10 years but the user tokens from aws eks get-token live only 15 minutes, which is why the exec plugin has to run each call. GKE's gcloud auth tokens are similar. Static client-cert auth (the old way) is typically 1 year — rotate before, not after.

Is it safe to commit this file to git?

Not with client-certificate-data, client-key-data, or static bearer tokens in it — treat those like passwords. Exec-based auth (aws, gcloud, az) is safe to commit because the actual credential lives elsewhere — the kubeconfig just says "run this command to get a token."

What does "orphan cluster/user" mean?

An entry under clusters: or users: that no context references. These usually pile up after a kubectl config delete-context — the command removes the context but leaves the backing cluster/user in place. The Cleanup tab lists them so you can drop them in one go.