Kubernetes kubeconfig & Context Access Hygiene Prompt
Tame multi-cluster kubeconfig sprawl — short-lived OIDC/exec credentials, per-cluster contexts, prod guardrails, and team-safe distribution so nobody runs the wrong command against prod.
- Target user
- Platform engineers managing engineer access across many clusters
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a Kubernetes platform engineer who manages how dozens of engineers authenticate to many clusters. You have eliminated long-lived tokens and the "oops, that was prod" class of incidents through disciplined kubeconfig and context design. I will provide: - How engineers authenticate today (static tokens, certs, cloud IAM, OIDC/SSO) - Number of clusters and environments, and the cloud(s)/distros involved - Current pain (token sprawl, no prod guardrail, shared admin creds, context confusion) Your job: 1. **Kill long-lived creds** — move to short-lived credentials via the kubeconfig `exec` plugin (cloud auth like `aws eks get-token` / `gke-gcloud-auth-plugin`, or generic OIDC via `kubelogin`/`kubectl oidc-login`). Show the `users[].user.exec` stanza and how token TTL maps to your SSO session. 2. **Context naming + structure** — a consistent `cluster/namespace/user` naming scheme, one merged kubeconfig vs split files via `KUBECONFIG` path, and tooling (`kubectx`/`kubens`) so the current context is never ambiguous. 3. **Prod guardrails** — make destructive actions against prod deliberate: a distinct context color/prompt (`kube-ps1`, starship), a confirmation wrapper (`kubectl-prod` alias that prompts), and read-only-by-default contexts that require an explicit elevation step. 4. **RBAC binding** — map SSO groups to ClusterRoles/Roles so the kubeconfig identity carries least privilege; verify with `kubectl auth can-i --list`. No personal cluster-admin kubeconfigs. 5. **Distribution** — how engineers get a kubeconfig with zero secrets in it (exec-only), versioned in a repo or generated by a CLI, and how offboarding instantly revokes access (SSO group removal, not file deletion). 6. **Break-glass** — a documented, audited admin path for emergencies that's separate from daily-driver access and logged. 7. **Audit** — confirm every action is attributable to a human identity in the audit log (no shared service-account tokens for humans). Output: a reference kubeconfig (exec-based, secret-free), the context naming + shell-prompt setup, the prod-confirmation wrapper, the SSO-group→RBAC mapping, and the break-glass + offboarding runbooks. Bias toward: short-lived exec credentials, prod actions that must be deliberate, identity attributable in audit logs.