Skip to content

Cluster Access

Connect kubectl, Helm, and other Kubernetes tools to a Kupe cluster.

Every cluster offers two kubeconfig flavours, downloadable from the cluster’s Cluster Access dialog in the console. Pick the one that matches who’s using it.

The recommended option for engineers working interactively.

Sign in with the same SSO credentials you use for the console. The kubeconfig holds no long-lived secrets — it triggers a browser sign-in when you first run kubectl, and the resulting access token is valid for 8 hours before another sign-in is needed.

Setup

  1. Install kubelogin — it’s the small helper that brokers the browser sign-in for kubectl.

  2. In the console, open your cluster → Cluster AccessDownload OIDC kubeconfig.

  3. Use it:

    Terminal window
    kubectl --kubeconfig ./<cluster>-oidc.kubeconfig get ns

The first command opens your browser; subsequent commands reuse the cached token until it expires.

The right option for CI pipelines, GitHub Actions, scheduled jobs, and anything that can’t open a browser.

The token is embedded in the kubeconfig and you choose the lifetime when you generate it. Available lifetimes: 8 hours, 24 hours, 7 days, 30 days, 90 days, 365 days. Shorter is safer.

Setup

  1. In the console, open your cluster → Cluster AccessDownload token kubeconfig, picking the shortest lifetime that fits your workflow.

  2. Use it:

    Terminal window
    kubectl --kubeconfig ./<cluster>-token.kubeconfig get pods -A

No additional tooling required — kubectl consumes the embedded token directly.

Who’s using itRecommended
You, at your laptopOIDC kubeconfig
A teammate, also at a laptopOIDC kubeconfig
GitHub Actions / CIToken kubeconfig
Cron job, daemon, K8s jobToken kubeconfig

Person → OIDC. Machine → token.

  • A kubeconfig is a credential. Treat it like a password.
  • Don’t commit kubeconfigs to git. Use a secret manager for CI.
  • Pick the shortest token lifetime that gets the job done; rotate the long ones.
  • If a kubeconfig leaks, revoke the corresponding API key (for token kubeconfigs) or sign the user out (for OIDC kubeconfigs) from the console.