Cluster Access
Connect kubectl, Helm, and other Kubernetes tools to a Kupe cluster.
Every cluster offers two kubeconfig flavours, downloadable from the cluster’s Cluster Access dialog in the console. Pick the one that matches who’s using it.
For humans — OIDC kubeconfig
Section titled “For humans — OIDC kubeconfig”The recommended option for engineers working interactively.
Sign in with the same SSO credentials you use for the console. The kubeconfig holds
no long-lived secrets — it triggers a browser sign-in when you first run kubectl,
and the resulting access token is valid for 8 hours before another sign-in is
needed.
Setup
-
Install
kubelogin— it’s the small helper that brokers the browser sign-in forkubectl. -
In the console, open your cluster → Cluster Access → Download OIDC kubeconfig.
-
Use it:
Terminal window kubectl --kubeconfig ./<cluster>-oidc.kubeconfig get ns
The first command opens your browser; subsequent commands reuse the cached token until it expires.
For automation — token kubeconfig
Section titled “For automation — token kubeconfig”The right option for CI pipelines, GitHub Actions, scheduled jobs, and anything that can’t open a browser.
The token is embedded in the kubeconfig and you choose the lifetime when you generate it. Available lifetimes: 8 hours, 24 hours, 7 days, 30 days, 90 days, 365 days. Shorter is safer.
Setup
-
In the console, open your cluster → Cluster Access → Download token kubeconfig, picking the shortest lifetime that fits your workflow.
-
Use it:
Terminal window kubectl --kubeconfig ./<cluster>-token.kubeconfig get pods -A
No additional tooling required — kubectl consumes the embedded token directly.
Which one?
Section titled “Which one?”| Who’s using it | Recommended |
|---|---|
| You, at your laptop | OIDC kubeconfig |
| A teammate, also at a laptop | OIDC kubeconfig |
| GitHub Actions / CI | Token kubeconfig |
| Cron job, daemon, K8s job | Token kubeconfig |
Person → OIDC. Machine → token.
Keeping it safe
Section titled “Keeping it safe”- A kubeconfig is a credential. Treat it like a password.
- Don’t commit kubeconfigs to git. Use a secret manager for CI.
- Pick the shortest token lifetime that gets the job done; rotate the long ones.
- If a kubeconfig leaks, revoke the corresponding API key (for token kubeconfigs) or sign the user out (for OIDC kubeconfigs) from the console.
Related
Section titled “Related”- Overview
- Core Concepts
- Kupe CLI — the
kupebinary for managing clusters via the Kupe API (separate fromkubectl)