# p0 kubeconfig

### **Overview** <a href="#overview" id="overview"></a>

Request just-in-time access to an AWS EKS cluster and automatically configure your local kubectl context.

### **Basic Usage** <a href="#basic-usage" id="basic-usage"></a>

```plaintext
p0 kubeconfig \
  --cluster   <CLUSTER_ID> \
  --role      <ROLE_KIND>/<ROLE_NAME> \  
  [--duration "<DURATION>"] \
  [--resource <Kind> / <Namespace> / <Name>] \
  [--reason   "<REASON>"]
```

***

### **Prerequisites** <a href="#prerequisites" id="prerequisites"></a>

* **Logged-in user**
* **k8s cluster deployed in GCP or AWS**
* **k8s provider configured in integrations**

### **Options & Flags** <a href="#options-and-flags" id="options-and-flags"></a>

| **Flag**               | **Required?** | **Description**                                                                  |
| ---------------------- | ------------- | -------------------------------------------------------------------------------- |
| --cluster \<string>    | Yes           | The cluster ID as registered in P0 (not the ARN).                                |
| --role \<string>       | Yes           | The Kubernetes RBAC role to request. Must be one of:                             |
|                        |               | • ClusterRole/\<roleName>                                                        |
|                        |               | • CuratedRole/\<roleName>                                                        |
|                        |               | • Role/\<namespace>/\<roleName>                                                  |
| --resource \<string>   | No            | Scope access to a specific resource or type. Must use **spaces** around slashes: |
|                        |               | • \<Kind> / \<Namespace> / \<Name>                                               |
|                        |               | • \<Kind> / \<Name>                                                              |
| --reason "\<string>"   | No            | A free-form explanation for audit purposes (e.g. "Debugging DNS issues").        |
| --duration "\<string>" | No            | How long you need access. Supported formats:                                     |
|                        |               | • 10 minutes                                                                     |
|                        |               | • 2 hours                                                                        |
|                        |               | • 5 days                                                                         |
|                        |               | • 1 week                                                                         |
| --help                 | No            | Show built-in help text for p0 kubeconfig.                                       |

***

### **Examples** <a href="#examples" id="examples"></a>

**1. Cluster-wide admin for 2 hours**

```plaintext
$ p0 kubeconfig \
    --cluster my-cluster \
    --role ClusterRole/cluster-admin \
    --duration "2 hours"
```

**Sample output:**

```plaintext
Fetching cluster integration…
Requesting access ClusterRole/cluster-admin on cluster my-cluster…
Waiting for AWS resources to be provisioned and updating kubeconfig for EKS…
Added new context arn:aws:eks:us-west-2:123456789012:cluster/my-cluster to ~/.kube/config
Switched to context arn:aws:eks:us-west-2:123456789012:cluster/my-cluster
Access granted and kubectl configured successfully. Re-run this command to refresh access if credentials expire.
```

***

**2. Read pods in the staging namespace**

```plaintext
$ p0 kubeconfig \
    --cluster staging-cluster \
    --role Role/staging/developer \
    --resource Pod / staging / *
```

**Sample output:**

```plaintext
Fetching cluster integration…
Requesting access Role/staging/developer on namespace staging (Pods)…
Waiting for AWS resources to be provisioned and updating kubeconfig for EKS…
Added new context arn:aws:eks:us-east-1:987654321098:cluster/staging-cluster to ~/.kube/config
Switched to context arn:aws:eks:us-east-1:987654321098:cluster/staging-cluster
Access granted and kubectl configured successfully.
```

***

**3. Scoped view of a specific Deployment with reason**

```plaintext
$ p0 kubeconfig \
    --cluster production \
    --role CuratedRole/view-deployments \
    --resource Deployment / prod / frontend-api \
    --reason "Verify rollout status"
```

**Sample output:**

```plaintext
Fetching cluster integration…
Requesting access CuratedRole/view-deployments on Deployment/frontend-api in prod…
Waiting for AWS resources to be provisioned and updating kubeconfig for EKS…
Added new context arn:aws:eks:us-west-2:123456789012:cluster/production to ~/.kube/config
Switched to context arn:aws:eks:us-west-2:123456789012:cluster/production
Access granted and kubectl configured successfully.
```

***

### **Refreshing Access** <a href="#refreshing-access" id="refreshing-access"></a>

When credentials expire, simply re-run the same command (all flags are remembered):

```plaintext
p0 kubeconfig --cluster my-cluster --role ClusterRole/cluster-admin
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-kubeconfig.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.