CLI Access
Use CLI Access when you want to work with a managed cluster through kubectl, Helm,
or automation instead of the console.
Each cluster exposes two kubeconfig options from the cluster’s CLI Access dialog:
- OIDC kubeconfig for engineers working interactively
- Token kubeconfig for automation, CI, and scripts
OIDC kubeconfig
Section titled “OIDC kubeconfig”This is the recommended option for humans.
Use it when you want:
- interactive
kubectlaccess - browser-based sign-in through SSO
- short-lived credentials instead of stored long-lived tokens
What to expect
Section titled “What to expect”- Requires
kubelogininstalled locally - Opens your browser for sign-in when needed
- Uses an 8-hour access token
Quick start
Section titled “Quick start”- Install
kubelogin. - Open your cluster in the console.
- Open
CLI Access. - Download the OIDC kubeconfig.
- Run:
kubectl --kubeconfig ./<cluster>-oidc.kubeconfig get nsThis is the best default for day-to-day engineering work.
Token kubeconfig
Section titled “Token kubeconfig”This is the recommended option for non-interactive systems.
Use it when you want:
- CI/CD access
- scripts and scheduled jobs
- environments where browser sign-in is not practical
What to expect
Section titled “What to expect”- No browser interaction
- Expiry is chosen when you generate the kubeconfig
- Supported lifetimes go up to 365 days
Available durations:
- 8 hours
- 24 hours
- 7 days
- 30 days
- 90 days
- 365 days
Quick start
Section titled “Quick start”- Open
CLI Accessfor the cluster in the console. - Download a token kubeconfig and choose the shortest useful expiry.
- Run:
kubectl --kubeconfig ./<cluster>-token.kubeconfig get pods -AWhich one should you use?
Section titled “Which one should you use?”| Use case | Recommended option |
|---|---|
| Local development and troubleshooting | OIDC kubeconfig |
Regular kubectl and Helm use by engineers | OIDC kubeconfig |
| CI pipelines and GitHub Actions | Token kubeconfig |
| Scheduled jobs and service automation | Token kubeconfig |
If a person is using the cluster directly, choose OIDC. If a system is using the cluster, choose a token.
Security guidance
Section titled “Security guidance”- Prefer the shortest practical token lifetime for automation.
- Rotate long-lived automation kubeconfigs regularly.
- Store kubeconfigs in a secret manager, not in source control.
- Treat downloaded kubeconfigs like credentials, because they are.