P0 App Documentation
Sign up for FreeSandbox
  • What Is P0?
    • πŸŽ›οΈIAM Dashboard
    • πŸ”ŽAccess Inventory
    • πŸͺ‘IAM Posture
    • ⏱️Just-In-Time Access
    • ♻️Service-Account Key Rotation
  • Getting Started
    • ⬇️Quick Start
    • 🎁Share P0 With Your Team
  • INVENTORY
    • πŸ—ΊοΈAccess Inventory
    • πŸ”¬Result Details
    • ❔Query Search
      • πŸ“–Search Reference
  • Posture
    • βš–οΈPosture Overview
  • Monitor Results
  • πŸ€”Finding Details
  • ORCHESTRATION
    • ⏰Just-in-time access
      • πŸ–οΈRequesting Access
        • πŸ‘‰For Another Party
      • 🏁Approving Access
        • Pre-approving Access
      • πŸ”€Request Routing
        • Google Cloud Filtering
        • AWS Filtering
  • Environments
    • ☁️Creating an Environment
    • πŸ““Environment Terminology
    • βš™οΈSettings
  • Integrations
    • πŸ“žNotifier integrations
      • πŸ’¬Slack
      • πŸ‘¬Microsoft Teams
      • πŸ“£Custom Notifier
    • πŸ”‘Resource integrations
      • ☁️Google Cloud
        • Requesting Access
        • Permissions Reference
          • Cloud Storage
          • Compute Engine
      • πŸ“¦AWS
        • Requesting Access
      • ☸️Kubernetes
        • Requesting Access
        • Advanced Requests
      • πŸ”‹PostgreSQL
        • Requesting Access
      • ❄️Snowflake
      • πŸ–₯️SSH
      • GitHub
        • Requesting Access
      • πŸ› οΈCustom Resource
    • πŸ‘₯Directory integrations
      • Microsoft Entra ID
        • Requesting Access
      • Google Workspace
      • Integrate P0 with Okta
    • βœ”οΈApproval integrations
      • πŸ””PagerDuty
    • πŸ”ŒSIEM Integrations
      • Splunk HEC Setup
  • P0 Management
    • 🎩Role-Based Access Control
Powered by GitBook
On this page
  • Prerequisites
  • Request Admin Access to all Kubernetes Resources
  • Use the Request Modal
  • Use the Command
  • Request Elevated Access for Port-Forwarding to a pod
  • Use the Request Modal
  • Use the Command
  • Request Elevated Access for a Shell to a Running Container
  • Use the Request Modal
  • Use the Command
  1. Integrations
  2. Resource integrations
  3. Kubernetes

Advanced Requests

How to request common Kubernetes access patterns with P0

PreviousRequesting AccessNextPostgreSQL

Last updated 3 months ago

This topic describes how to perform advanced Kubernetes cluster access requests using P0’s Slack bot. It contains the following sections:

Each section shows how to make a request using both the request modal and direct Slack commands.

Prerequisites

Before continuing, ensure you’re familiar with basic Kubernetes access requests. See for more information.

Request Admin Access to all Kubernetes Resources

The steps below show to request admin access to all Kubernetes resources:

Use the Request Modal

  1. Send /p0 request as a Slack message in any direct message (DM) or Slack channel.

  2. Configure the request modal fields and click Request:

    • Resource: Select Kubernetes

    • Access type: Select Kubernetes resource

    • Cluster: Select your Kubernetes cluster name

    • Resource: Leave as the default (All Kinds / All namespaces / All resources)

    • Role: Enter admin to display available roles and select ClusterRole / admin from the dropdown

    • Reason: Enter the reason for your access request

  3. Wait for the approver to approve your request.

Use the Command

Alternatively, specify the entire request via a command with the following arguments:

/p0 request k8s resource --cluster {cluster ID} --role "ClusterRole / {role}" --reason {reason}

For example:

/p0 request k8s resource --cluster EKS-demo-cluster --role "ClusterRole / admin" --reason "Check cluster health"

Request Elevated Access for Port-Forwarding to a pod

```
- apiGroups: [""]
 resources: ["pods"]
 verbs: ["get", "list", "watch"]
- apiGroups: [""]
 resources: ["pods/portforward"]
 verbs: ["get", "create"]
```

Use the Request Modal

  1. Send /p0 request as a Slack message in any DM or Slack channel.

  2. Configure the request modal fields and click Request:

    • Resource: Select Kubernetes

    • Access Type: Select Kubernetes resource

    • Cluster: Select your Kubernetes cluster name

    • Reason: Enter the reason for your access request

  3. Wait for the approver to approve your request.

Use the Command

Alternatively, specify the entire request via a command with the following arguments:

/p0 request k8s resource --cluster {cluster ID} --locator {locator} --role "CuratedRole / {role}" --reason {reason}

The following example allows port-forwarding to one nginx pod in the default namespace:

/p0 request k8s resource --cluster EKS-demo-cluster --locator "Pod / default / nginx-deployment-cbdccf466-k9f89" --role "CuratedRole / port-forward" --reason "Debug API""

Request Elevated Access for a Shell to a Running Container

```
- apiGroups: [""]
 resources: ["pods"]
 verbs: ["get", "list", "watch"]
- apiGroups: [""]
 resources: ["pods/exec"]
 verbs: ["create"]
```

Use the Request Modal

  1. Send /p0 request as a Slack message in any DM or Slack channel.

  2. Configure the request modal fields and click Request:

    • Resource: Select Kubernetes

    • Access Type: Select Kubernetes resource

    • Cluster: Select your Kubernetes cluster name

    • Reason: Enter the reason for your access request

  3. Wait for the approver to approve your request.

Use the Command

Alternatively, specify the entire request via a command with the following arguments:

/p0 request k8s resource --cluster {cluster ID} --locator {locator} --role "CuratedRole / {role}" --reason {reason}

The following example requests elevated access for one nginx pod in the default namespace: /p0 request k8s resource --cluster EKS-demo-cluster --locator "Pod / default / nginx-deployment-cbdccf466-k9f89" --role "CuratedRole / exec" --reason "Debug environment variables"

with kubectl port-forward is a common operation that requires elevated access. Instead of requesting a general edit or admin role, you can use P0's curated port-forward role which contains the following rules:

Resource: Enter pod to display the available pod resources, and select the pod you want to port forward from the dropdown

Role: Enter port and select CuratedRole / port-forward from the dropdown

with kubectl exec is an operation that requires elevated access. Instead of requesting a general edit or admin role you can use P0's curated exec role which contains the following rules:

Resource: Enter pod to display the available pod resources, and select the pod you want to access from the dropdown

Role: Enter exe and select CuratedRole / exec from the dropdown

πŸ”‘
☸️
Port-forwarding
Shell access to a running container
Requesting Access
Prerequisites
Request Admin Access to all Kubernetes Resources
Request Elevated Access for Port-Forwarding to a pod
Request Elevated Access for a Shell to a Running Container