When we use the kubectl command, it internally sends a request to Kube ApiServer which validates the request and persists the change in the etcd store for the controller to get invoked and take the right action.

The Kube ApiServer uses certificates configured in the KubeConfig to authenticate the user. Once the user’s identity has been verified, Role Based Access Control (RBAC) is used to determine whether or not the user has access to perform the requested action. Finally, the request goes to Admission Controllers for validation.