Access your cluster
paasbox gives you full cluster-admin on your cluster — a real kubeconfig, not a locked-down console. The credential is deliberately short-lived: you fetch a fresh one whenever you need it, from the console or the API, and it expires on its own.
How cluster credentials work
Section titled “How cluster credentials work”Every kubeconfig paasbox issues is:
- Cluster-admin, scoped to one cluster. It authenticates against your cluster’s API server only — never the platform.
- Short-lived. You choose a validity of up to 8 hours (default 1 hour). After that, requests fail with an authentication error and you simply issue a new one.
- Never stored. paasbox mints the credential on request and hands it to you; there is no copy on our side to leak.
- Audited. Every issuance is recorded as an event on the cluster — who requested it, when, and for how long.
Why short-lived? A certificate credential can’t be un-issued before it expires. Keeping the lifetime to hours means a leaked laptop, a pasted-in-chat kubeconfig, or a forgotten CI artifact ages out on its own — and offboarding a team member is done in the portal, not by rotating your cluster.
Get a kubeconfig from the console
Section titled “Get a kubeconfig from the console”In console.paasbox.com, open your cluster and
choose Download kubeconfig. Point kubectl at the file and check the
connection:
export KUBECONFIG=~/Downloads/paasbox-kubeconfig.yamlkubectl get nodesGet a kubeconfig from the API
Section titled “Get a kubeconfig from the API”For scripts and CI, request one with a team API key
(Authorization: Token pbx_live_…):
curl -s -X POST \ -H "Authorization: Token $PAASBOX_API_KEY" \ -H "Content-Type: application/json" \ -d '{"ttlSeconds": 3600}' \ https://console.paasbox.com/api/v1/teams/<team>/clusters/<cluster>/kubeconfig/ \ | jq -r .kubeconfig > kubeconfig.yaml
export KUBECONFIG=$PWD/kubeconfig.yamlkubectl get nodesThe response also carries expiresAt, so automation can renew ahead of time.
See the API reference for the full contract.
In CI, fetch per run. Issue a kubeconfig at the start of the job with a TTL that covers the job, and never store one as a long-lived secret or artifact — the API key is the durable secret; kubeconfigs are disposable.
When it expires
Section titled “When it expires”Expired credentials fail with an Unauthorized error from the API server.
Nothing is wrong with your cluster — issue a fresh kubeconfig and continue.
Working with a team
Section titled “Working with a team”Anyone on your team with access to the cluster in the portal can issue a kubeconfig, and every issuance is audited. To remove someone’s cluster access, remove them from the team (or their API key) — their existing credential ages out within hours.
If your team lives in an identity provider (Entra ID, Okta, Keycloak, Google, …), you can go one step further and log in to the cluster with your own IdP — named users, group-based RBAC, and instant offboarding. See Bring your own identity provider.
What the kubeconfig does not include
Section titled “What the kubeconfig does not include”- No platform access. The credential reaches your cluster’s API server and nothing else — not the paasbox control infrastructure, not other clusters.
- No platform observability endpoints. paasbox monitors your control plane as part of operating it; dashboards for your workloads are yours to run in-cluster (Prometheus, Grafana, VictoriaMetrics, …) — you have the admin access to install whatever you like. See What you bring & what we run.