When we use the
kubectl command, it internally sends a request to Kube ApiServer which validates the request and persists the change in the etcd store for the controller to get invoked and take the right action.The Kube ApiServer uses certificates configured in the 
KubeConfig to authenticate the user. Once the user’s identity has been verified, RBAC is used to determine whether or not the user has access to perform the requested action. Finally, the request goes to Admission Controllers for validation.