Skip to content

Access your cluster

paasbox gives you full cluster-admin on your cluster — a real kubeconfig, not a locked-down console. The credential is deliberately short-lived: you fetch a fresh one whenever you need it, from the console or the API, and it expires on its own.

Every kubeconfig paasbox issues is:

  • Cluster-admin, scoped to one cluster. It authenticates against your cluster’s API server only — never the platform.
  • Short-lived. You choose a validity of up to 8 hours (default 1 hour). After that, requests fail with an authentication error and you simply issue a new one.
  • Never stored. paasbox mints the credential on request and hands it to you; there is no copy on our side to leak.
  • Audited. Every issuance is recorded as an event on the cluster — who requested it, when, and for how long.

Why short-lived? A certificate credential can’t be un-issued before it expires. Keeping the lifetime to hours means a leaked laptop, a pasted-in-chat kubeconfig, or a forgotten CI artifact ages out on its own — and offboarding a team member is done in the portal, not by rotating your cluster.

In console.paasbox.com, open your cluster and choose Download kubeconfig. Point kubectl at the file and check the connection:

Terminal window
export KUBECONFIG=~/Downloads/paasbox-kubeconfig.yaml
kubectl get nodes

For scripts and CI, request one with a team API key (Authorization: Token pbx_live_…):

Terminal window
curl -s -X POST \
-H "Authorization: Token $PAASBOX_API_KEY" \
-H "Content-Type: application/json" \
-d '{"ttlSeconds": 3600}' \
https://console.paasbox.com/api/v1/teams/<team>/clusters/<cluster>/kubeconfig/ \
| jq -r .kubeconfig > kubeconfig.yaml
export KUBECONFIG=$PWD/kubeconfig.yaml
kubectl get nodes

The response also carries expiresAt, so automation can renew ahead of time. See the API reference for the full contract.

In CI, fetch per run. Issue a kubeconfig at the start of the job with a TTL that covers the job, and never store one as a long-lived secret or artifact — the API key is the durable secret; kubeconfigs are disposable.

Expired credentials fail with an Unauthorized error from the API server. Nothing is wrong with your cluster — issue a fresh kubeconfig and continue.

Anyone on your team with access to the cluster in the portal can issue a kubeconfig, and every issuance is audited. To remove someone’s cluster access, remove them from the team (or their API key) — their existing credential ages out within hours.

If your team lives in an identity provider (Entra ID, Okta, Keycloak, Google, …), you can go one step further and log in to the cluster with your own IdP — named users, group-based RBAC, and instant offboarding. See Bring your own identity provider.

  • No platform access. The credential reaches your cluster’s API server and nothing else — not the paasbox control infrastructure, not other clusters.
  • No platform observability endpoints. paasbox monitors your control plane as part of operating it; dashboards for your workloads are yours to run in-cluster (Prometheus, Grafana, VictoriaMetrics, …) — you have the admin access to install whatever you like. See What you bring & what we run.