Advanced Requests
How to request common Kubernetes access patterns with P0
This topic describes how to perform advanced Kubernetes cluster access requests using P0’s Slack bot. It contains the following sections:
Prerequisites
Before continuing, ensure you’re familiar with basic Kubernetes access requests. See Requesting Access for more information.
Request Admin Access to all Kubernetes Resources
The steps below show to request admin access to all Kubernetes resources:
Use the Request Modal
Send
/p0 request
as a Slack message in any direct message (DM) or Slack channel.Configure the request modal fields and click Request:
Resource: Select Kubernetes
Access type: Select Kubernetes resource
Cluster: Select your Kubernetes cluster name
Resource: Leave as the default (All Kinds / All namespaces / All resources)
Role: Enter
admin
to display available roles and select ClusterRole / admin from the dropdownReason: Enter the reason for your access request
Wait for the approver to approve your request.
Use the Command
Alternatively, specify the entire request via a command with the following arguments:
/p0 request k8s resource --cluster {cluster ID} --role "ClusterRole / {role}" --reason {reason}
For example:
/p0 request k8s resource --cluster EKS-demo-cluster --role "ClusterRole / admin" --reason "Check cluster health"
Request Elevated Access for Port-Forwarding to a pod
Port-forwarding with kubectl port-forward
is a common operation that requires elevated access. Instead of requesting a general edit
or admin
role, you can use P0's curated port-forward role which contains the following rules:
```
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/portforward"]
verbs: ["get", "create"]
```
Use the Request Modal
Send
/p0 request
as a Slack message in any DM or Slack channel.Configure the request modal fields and click Request:
Resource: Select Kubernetes
Access Type: Select Kubernetes resource
Cluster: Select your Kubernetes cluster name
Resource: Enter pod to display the available pod resources, and select the pod you want to port forward from the dropdown
Role: Enter port and select CuratedRole / port-forward from the dropdown
Reason: Enter the reason for your access request
Wait for the approver to approve your request.
Use the Command
Alternatively, specify the entire request via a command with the following arguments:
/p0 request k8s resource --cluster {cluster ID} --locator {locator} --role "CuratedRole / {role}" --reason {reason}
The following example allows port-forwarding to one nginx pod in the default namespace:
/p0 request k8s resource --cluster EKS-demo-cluster --locator "Pod / default / nginx-deployment-cbdccf466-k9f89" --role "CuratedRole / port-forward" --reason "Debug API""
Request Elevated Access for a Shell to a Running Container
Shell access to a running container with kubectl exec
is an operation that requires elevated access. Instead of requesting a general edit
or admin
role you can use P0's curated exec
role which contains the following rules:
```
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
```
Use the Request Modal
Send
/p0 request
as a Slack message in any DM or Slack channel.Configure the request modal fields and click Request:
Resource: Select Kubernetes
Access Type: Select Kubernetes resource
Cluster: Select your Kubernetes cluster name
Resource: Enter
pod
to display the available pod resources, and select the pod you want to access from the dropdownRole: Enter exe and select CuratedRole / exec from the dropdown
Reason: Enter the reason for your access request
Wait for the approver to approve your request.
Use the Command
Alternatively, specify the entire request via a command with the following arguments:
/p0 request k8s resource --cluster {cluster ID} --locator {locator} --role "CuratedRole / {role}" --reason {reason}
The following example requests elevated access for one nginx pod in the default
namespace:
/p0 request k8s resource --cluster EKS-demo-cluster --locator "Pod / default / nginx-deployment-cbdccf466-k9f89" --role "CuratedRole / exec" --reason "Debug environment variables"
Last updated