kubectl connects directly to the kube-apiserver. It is the front door to your Kubernetes cluster. It exposes the Kubernetes API that all components and users interact with, including:

When you run a command like kubectl get pods, your kubectl client authenticates with the kube-apiserver, which then validates your request, retrieves the data from etcd (via the apiserver), and returns the results.

The apiserver is the only component that directly communicates with the etcd datastore, acting as a gatekeeper to ensure all operations are properly authenticated, authorized, and validated before making any changes to the cluster state.

This centralized API design is intentional - it ensures all changes to cluster state go through a single, well-defined interface with consistent authentication, authorization, and validation.