SSH Filtering

SSH request routing allows you to control access to SSH resources based on provider, destination, group, region, parent resource, and sudo privileges. You can also configure break glass access, which grants unrestricted SSH access to all resources for emergency scenarios.

SSH access types

The SSH integration supports four access types. Each access type represents a different scope of resources you can grant access to:

Outside of session, the other access types control access to collections of instances, which may include one or more nodes at a time.

You can scope a routing rule to a specific access type using the accessType field:

resource:
  type: integration
  service: ssh
  accessType: session

If you omit accessType or set it to any, the rule applies to all SSH access types.

Available filters

SSH routing rules support six filter types:

Filter rule structure

Each filter has three properties:

• effect — How the filter is applied:

  • keep — Retain resources that match the pattern

  • remove — Retain resources that do not match the pattern

  • removeAll — Disable this filter type entirely

• key — The property to match against

• pattern — A regex pattern to match (uses the JavaScript regex dialect)

Sudo filter

The sudo filter uses a boolean format rather than a regex pattern:

Filter examples

Restrict SSH access to a specific cloud provider

Allow SSH requests only for AWS-managed instances:

Restrict SSH access to a specific group

Allow SSH access only to instances in the "web-servers" group:

Restrict SSH access by AWS account

Allow SSH access only to instances in a specific AWS account:

Deny sudo access

Deny all SSH requests that include sudo privileges:

Restrict SSH to a specific region

Allow SSH access only to instances in us-east-1:

Break glass access

Break glass provides emergency SSH access to all resources covered by your routing rules. It's designed for incident response — when there is an outage and an engineer needs broad access to production systems to troubleshoot. Instead of requesting access to each instance individually and waiting for approval, they can use break glass access.

How break glass works

1. A user requests SSH break glass access (access type all) via the CLI: p0 request ssh all

2. P0 identifies all routing rules where the user is a matching requester and the rule has a breakGlassApprover configured

3. P0 creates a separate request for each matching routing rule. If you are a requester in five different routing rules, P0 creates five requests, and each must be individually approved.

4. Each request is routed to the break glass approver(s) configured on that rule

5. Once a break glass request for a routing rule is approved, individual session requests to instances covered by that rule are auto-approved — you still make the individual session requests, but they no longer require manual approval

6. If no routing rules with breakGlassApprover match the user, the request is rejected with: "No routing rule allows break-glass access"

Configuring break glass

Break glass requires two types of routing rules working together:

1. A regular rule with a standard approver — this handles day-to-day access to individual instances

2. A break glass rule with a breakGlassApprover — this handles the emergency all access request

Both rules must exist. The regular rule defines which resources are accessible and who approves normal requests. The break glass rule defines who can approve the emergency override.

Example: complete break glass configuration

In this example:

• Rule 1 grants engineers access to specific instances matching customer-node*, approved by engineering managers

• Rule 2 grants engineers break glass access to all SSH resources, approved by the NOC team (staffed 24/7)

• When an engineer runs p0 request ssh all, P0 creates a break glass request routed to the NOC team

• Once the NOC team approves, the engineer can request individual sessions (for example, customer-node-1) and those requests are auto-approved

Break glass with PagerDuty escalation

You can combine break glass with PagerDuty escalation for incident-driven emergency access:

In this example:

• Any user can request break glass SSH access

• The request requires a reason

• PagerDuty routes the request through the configured escalation policy

• Only the on-call responder from the configured PagerDuty service can approve

Multiple routing rules and break glass

When you are a requestor in multiple routing rules, a break glass request creates a separate request for each matching rule. Each request:

• Routes the request to the break glass approver configured on that specific rule

• Must be individually approved

• Grants auto-approval for instances covered by that rule only

This means you can have different break glass approvers for different sets of resources. For example, the NOC team approves break glass for production systems, while the SRE team approves break glass for staging systems.

Separating break glass from regular approvals

P0 routes requests to the correct approvers based on whether breakGlassApprover is set:

• Regular SSH requests (session, group, parent) are routed to approvers on rules without breakGlassApprover

• Break glass SSH requests (all) are routed to approvers on rules with breakGlassApprover: true

This separation ensures that break glass approvals require explicit authorization from designated approvers, while regular access follows the standard approval flow.

Supported approval types for break glass

The breakGlassApprover option is available on the following approval types: