Sign up for Free Sandbox

Use cases

Request common Kubernetes access patterns with P0

Invoking the Slack request modal

For any Kubernetes access request use case on this page you can invoke the Slack request modal with these steps:

  1. Open the P0 Slack request modal by typing /p0 request k8s in any Slack channel. Also see Creating a request.

  2. Select "Kubernetes resource" as "Access type"

  3. Select a "Cluster"

1. Admin access to all Kubernetes resources

Using the Slack request modal

  1. Invoke the request modal

  2. Do not change "Resource" - by default your access will apply to all resources of the selected role below.

  3. Type "admin" in the "Role" box and select "admin"

  4. Enter the reason for your access request

  5. Click "Request"

Using the Slack slash command

Alternatively, you can specify the entire request in a single Slack slash command.

/p0 request k8s resource --cluster {cluster ID} --role "ClusterRole / {role}" --reason {reason}

A concrete example:

/p0 request k8s resource --cluster EKS-demo-cluster --role "ClusterRole / admin" --reason "Check cluster health"

2. Port-forwarding to a pod

Port-forwarding with kubectl port-forward is a common operation that requires elevated access. Instead of requesting general "edit" or "admin" role you can use P0's curated role, "port-forward", which contains the following rules:

```
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["pods/portforward"]
  verbs: ["get", "create"]
```

Using the Slack request modal

  1. Invoke the request modal

  2. Enter a search term for your pod in the "Resource" field, or simply type "pod" to see all pods

  3. Enter a search term for "port-forward" in the "Role" box and select "CuratedRole / port-forward"

  4. Enter the reason for your access request

  5. Click "Request"

Using the Slack slash command

Alternatively, you can specify the entire request in a single Slack slash command.

/p0 request k8s resource --cluster {cluster ID} --locator {locator} --role "CuratedRole / {role}" --reason {reason}

A concrete example that allows port-forwarding to one nginx pod in default namespace:

/p0 request k8s resource --cluster EKS-demo-cluster --locator "Pod / default / nginx-deployment-cbdccf466-k9f89" --role "CuratedRole / port-forward" --reason "Debug API"

3. Port-forwarding to a pod

Shell access to a running container with `kubectl exec` is an operation that requires elevated access. Instead of requesting general "edit" or "admin" role you can use P0's curated role, "exec", which contains the following rules:

```
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create"]
```

Using the Slack request modal

  1. Invoke the request modal

  2. Enter a search term for your pod in the "Resource" field, or simply type "pod" to see all pods

  3. Enter a search term for "exec" in the "Role" box and select "CuratedRole / exec"

  4. Enter the reason for your access request

  5. Click "Request"

Using the Slack slash command

Alternatively, you can specify the entire request in a single Slack slash command.

/p0 request k8s resource --cluster {cluster ID} --locator {locator} --role "CuratedRole / {role}" --reason {reason}

A concrete example that allows port-forwarding to one nginx pod in default namespace:

/p0 request k8s resource --cluster EKS-demo-cluster --locator "Pod / default / nginx-deployment-cbdccf466-k9f89" --role "CuratedRole / exec" --reason "Debug environment variables"

PreviousRequesting AccessNextPostgreSQL

Last updated