Skip to content

Break Glass

What Will You Do

In this part of the self-paced exercise, you will learn to enable kubectl access temporarily for a cluster to implement a break glass process.

Step 1: Disabling Kubectl Access

The default for many organizations would be to disable kubectl access. To do this:

  • Navigate to the Clusters page, click on the gear icon and select Kubectl Settings

Cluster setting

Cluster setting

  • Disable both Kubectl CLI Access (Terminal) and Browser Kubectl Access

KubeCTL settings disable

  • Any kubectl access attempt is now prevented

Step 2: Enabling kubectl access temporarily

There may be a requirement to enable kubectl access for a user temporarily (to debug an issue for instance). To enable Browser based access, follow the instructions outlined below:

  • Navigate to the specific cluster where the issue is being seen. Click on the gear icon and select Kubectl Settings
  • Enable Kubectl Browser access, Click Save

KubeCTL settings enable

  • The Namespace Admin previously configured in Part 1 of the exercise would now be able to initiate a kubectl session from within the browser and run commands/inspect logs as required

Namespace Admin

  • Kubectl access can be disabled either for the cluster or org wide as required after the root cause determination exercise is complete
  • The JIT (Just in time) service account created for the Namespace Admin is automatically removed from the target cluster once the configured lifetime expires