Kubernetes Provider
The Kubernetes provider grants temporary elevated access by creating a ClusterRoleBinding or RoleBinding with a TTL annotation. The jitsudo expiry sweeper deletes bindings when they expire.
How It Works
Section titled “How It Works”- jitsudod creates a
ClusterRoleBinding(cluster-wide) orRoleBinding(namespaced) binding the requester’s user identity to the requested ClusterRole. - The binding is named
jitsudo-<requestID>and labelled withjitsudo.dev/managed: "true". - An annotation
jitsudo.dev/expires-atrecords the expiry time. - On revocation or expiry, jitsudod deletes the binding.
- The
IsActivecheck queries whether the binding still exists in the cluster — catching out-of-bandkubectl deleteoperations.
Prerequisites
Section titled “Prerequisites”jitsudod RBAC Permissions
Section titled “jitsudod RBAC Permissions”The jitsudo ServiceAccount needs permission to manage RBAC bindings. The Helm chart creates this automatically when the Kubernetes provider is enabled:
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata: name: jitsudo-rbac-managerrules: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["clusterrolebindings", "rolebindings"] verbs: ["create", "get", "delete", "list"]For non-Helm deployments, apply this manually and create a ClusterRoleBinding for the jitsudo ServiceAccount.
Target ClusterRoles
Section titled “Target ClusterRoles”Users request access to existing ClusterRoles. Make sure the roles you want jitsudo to grant exist in your cluster. Common built-in roles:
| ClusterRole | Access level |
|---|---|
view | Read-only (no secrets) |
edit | Read/write (no RBAC) |
admin | Full namespace admin |
cluster-admin | Full cluster admin |
You can also create custom ClusterRoles for more granular access.
Configuration
Section titled “Configuration”providers: kubernetes: # Path to kubeconfig file. # Leave empty to use in-cluster service account credentials (recommended). kubeconfig: ""
# Default namespace for namespaced RoleBindings when ResourceScope is empty. # If also empty, a ClusterRoleBinding is created instead. default_namespace: "default"
# Maximum elevation window max_duration: "1h"
# Label key applied to all jitsudo-managed bindings. # The expiry sweeper uses this label for cleanup queries. managed_label: "jitsudo.dev/managed"Configuration Fields
Section titled “Configuration Fields”| Field | Required | Default | Description |
|---|---|---|---|
kubeconfig | No | "" (in-cluster) | Path to kubeconfig file |
default_namespace | No | "" | Default namespace for RoleBindings |
max_duration | No | no cap | Maximum elevation window |
managed_label | No | jitsudo.dev/managed | Label applied to all managed bindings |
Request Examples
Section titled “Request Examples”# Cluster-wide admin (ClusterRoleBinding)jitsudo request \ --provider kubernetes \ --role cluster-admin \ --scope "*" \ --duration 15m \ --reason "Debug kube-system CrashLoopBackOff"
# Namespaced edit access (RoleBinding)jitsudo request \ --provider kubernetes \ --role edit \ --scope production \ --duration 30m \ --reason "Scale deployment for traffic spike"
# Read-only access to a namespacejitsudo request \ --provider kubernetes \ --role view \ --scope staging \ --duration 1h \ --reason "Audit staging environment for compliance review"--scope: Kubernetes namespace name, or * / empty string for cluster-wide.
--role: Name of an existing ClusterRole (e.g. cluster-admin, edit, view).
Injected Credentials
Section titled “Injected Credentials”JITSUDO_K8S_ROLE=cluster-adminJITSUDO_K8S_NAMESPACE=productionThe user’s own Kubernetes identity (as configured in their kubeconfig) is used for actual API calls — the binding grants them the role using their existing identity.
jitsudo exec req_01J8KZ... -- kubectl get pods -n productionjitsudo shell req_01J8KZ...$ kubectl delete pod crashed-pod-abc123 -n production$ exitExpiry Enforcement
Section titled “Expiry Enforcement”The binding’s annotation jitsudo.dev/expires-at (RFC3339) is set at creation time. The jitsudo expiry sweeper periodically:
- Lists all bindings with label
jitsudo.dev/managed=true. - Checks
jitsudo.dev/expires-atagainst the current time. - Calls
Revokeon any expired binding.
If a binding is deleted out-of-band (e.g. by a cluster admin with kubectl delete), the IsActive check detects this and marks the request as expired.
External kubeconfig (Multi-Cluster)
Section titled “External kubeconfig (Multi-Cluster)”To manage a remote cluster from jitsudod:
providers: kubernetes: kubeconfig: "/etc/jitsudo/kubeconfig-prod.yaml"Mount the kubeconfig as a Kubernetes Secret:
volumes: - name: kubeconfig secret: secretName: jitsudo-kubeconfig-prodvolumeMounts: - name: kubeconfig mountPath: /etc/jitsudo/kubeconfig-prod.yaml subPath: kubeconfig