CLI Access
You can access clusters from CLI using one of two kubeconfig options from the cluster’s CLI Access dialog in the console.
Option 1: OIDC kubeconfig (recommended for humans)
Section titled “Option 1: OIDC kubeconfig (recommended for humans)”- Best for interactive
kubectluse. - Requires
kubelogininstalled locally. - OIDC session currently lasts 24 hours.
Quick steps
Section titled “Quick steps”- Install
kubelogin. - Download the OIDC kubeconfig from the console.
- Run:
kubectl --kubeconfig ./<cluster>-oidc.kubeconfig get nsOption 2: Token kubeconfig (recommended for automation)
Section titled “Option 2: Token kubeconfig (recommended for automation)”- Best for CI jobs, scripts, and non-interactive tasks.
- You can choose token expiry at generation time.
- Supported expiry options go up to 365 days.
Available durations:
- 8 hours
- 24 hours
- 7 days
- 30 days
- 90 days
- 365 days
Quick steps
Section titled “Quick steps”- Download a token kubeconfig from the console and choose expiry.
- Use it in automation:
kubectl --kubeconfig ./<cluster>-token.kubeconfig get pods -AWhich one should I use?
Section titled “Which one should I use?”- Use OIDC kubeconfig for engineers working from terminal.
- Use token kubeconfig for automation where browser sign-in is not possible.
Security guidance
Section titled “Security guidance”- Prefer shortest practical token lifetime for automation.
- Rotate long-lived tokens regularly.
- Store kubeconfigs in secret managers, not source control.