Cloudanix Joins AWS ISV Accelerate Program
Kubernetes JIT · powered by Cloudanix Agentic JIT

Prod cluster access.
without standing kubeconfigs, without shared cluster-admin, without mystery kubectl, in your own terminal

Your engineers need to kubectl against prod. Today that means kubeconfigs on 40 laptops, a shared cluster-admin binding, and audit logs that all read kubernetes-admin. Kubernetes JIT replaces all of it: request in one click, approve in Slack, run cdx k8s connect, and work in kubectl, k9s or Lens — with every API call stamped to a real human.

✓ EKS · AKS · GKE · OpenShift · Rancher · self-managed ✓ Works with kubectl, k9s, Lens, Headlamp, Helm, JetBrains ✓ Public, semi-private & fully-private control planes
Request cluster access Production
Cluster eks-prod-ap-south-1
Role view edit admin cluster-admin
Namespace payments
Duration 30 min 1 hr 2 hr
Reason INC-7741 · crashloop
~/ — cdx k8s connect — 120×28
$ cdx k8s connect -i 4a2c91f8 -o af10a481 -w 14414595
CDX CLI Version: 0.2.15
Authentication verified
Approval found · valid for 30 min
Outbound tunnel to your VPC opened
Short-lived kubeconfig minted to localhost
Connected to eks-prod-ap-south-1 · role: edit · ns: payments
→ kubectl ready · stamped to sujay@cloudanix.com
kubectl · eks-prod-ap-south-1 · ns/payments 
$ kubectl get pods -n payments
NAME                       READY  STATUS              AGE
payments-7d6c9-abc1        0/1    CrashLoopBackOff    8m
payments-7d6c9-def2        1/1    Running             2h
✓ session active · 24:18 left audit → s3://your-bucket/jit-k8s/
signed as sujay@cloudanix.com not kubernetes-admin
The problem

Every team that runs prod Kubernetes owns four compromises.

You can have a tight RBAC story, or you can have engineers who can fix a crashlooping pod on a Sunday — pick one. That's the deal most platform teams have made, and it stopped working the day the second cluster came online.

📜

Standing kubeconfigs

~/.kube/config on 40 laptops, each with the cluster cert and a long-lived token. Rotation breaks every dev's machine, so you don't. One stolen laptop is one kubectl delete ns away from a Sunday.

👑

Shared cluster-admin

Granting the right namespaced Role takes ten minutes of thinking. Granting cluster-admin takes one. So everyone has god-mode, “temporarily,” forever. A wrong-tab kubectl against prod is now a real outage path.

👻

K8s audit logs that audit nothing

The namespace got nuked at 3am by user kubernetes-admin. Which human was that? The K8s audit log says the shared cluster role. CloudTrail says STS assumed the same role. Your forensic story ends at the binding.

🛡

Private control planes vs. real life

You did the right thing and made the API server private. Now nobody can kubectl from their laptop. So you caved: VPN with cluster-admin baked in, or a bastion everyone hops through. Either way, the moat is back, and the auditor still can't tell who did what.

How it works

One request. One approval. One command. Your own kubectl.

No browser-based “K8s console.” No agent inside your cluster. No replacing the RBAC you already wrote.

  1. 1

    Ask, don't guess

    Pick a cluster, role (view / edit / admin / cluster-admin), and namespace scope. Set a duration. Drop in an incident ID. One click — no kubeconfig surgery, no waiting on platform.

  2. 2

    Approve where the team lives

    Slack or Teams. view on one namespace can auto-approve. cluster-admin on prod escalates to a human. One click, and the clock starts.

  3. 3

    Tunnel opens outbound

    For fully-private clusters, cdx k8s connect dials outbound to a proxy in your own VPC / VNet. The API server stays private. No bastion. No VPN with cluster-admin baked in. Nothing new exposed.

  4. 4

    Short-lived kubeconfig. Familiar tools.

    A temporary kubeconfig is minted to your laptop, scoped to the role and namespace you were granted. Use plain kubectl, k9s, Lens, Headlamp, Helm or your IDE's Kubernetes plugin — they all just work.

  5. 5

    Every API call, stamped to a human

    Even when the cluster sees a shared assumed role, Cloudanix tags every kubectl and every exec session with the real human. K8s audit logs become forensics-grade. Full audit + recording lands in your S3. Session expires, kubeconfig wiped, tunnel closed.

Real-world scenarios

Same JIT. Whoever needs the cluster.

SREs on-call, platform engineers, vendors deploying a Helm chart, auditors capturing RBAC evidence — one flow for everyone who touches your clusters, with the guardrails tuned per case.

scenario · INC-7741 · eks-prod · ns/payments · view
sujay (SRE) Pager fired — pods crashlooping in payments. Need to tail logs and check the deploy. Nothing more.
Sujay · kubectl
🛰
tunnel
Cloudanix JIT
scoped kubeconfig
eks-prod · payments
scope granted role: view · ns: payments · 30m · auto-approved · INC-7741 
$ kubectl get pods -n payments
NAME                  READY  STATUS              AGE
payments-7d6c9-abc1   0/1    CrashLoopBackOff    8m
$ kubectl logs -n payments payments-7d6c9-abc1 --tail=2
ERROR: connection pool exhausted
ERROR: probe failed
✓ stamped to sujay@cloudanix.com · audit → S3 ⛔ Session closed · 04:12
scenario · eks-prod · platform · cluster-admin
priya (platform) CSI driver is stuck — volumes won't attach on three nodes. Need to roll the DaemonSet and cordon a node.
⚠ cluster-admin · prod · irreversible ✓ Approved by sre-lead · 12s
Priya · k9s
🛠
tunnel
Cloudanix JIT
scoped kubeconfig
eks-prod (all ns)
scope granted cluster-admin · 60m · reason: INC-7741 · linked 
$ kubectl rollout restart ds/csi-driver -n kube-system
daemonset.apps/csi-driver restarted
$ kubectl cordon node-3
node/node-3 cordoned
# volumes attaching. incident resolved.
✓ Every kubectl stamped · priya@cloudanix.com ⛔ Session closed · recording → INC-7741
scenario · vendor · helm install · ns/vendor-app
alex (vendor) Installing the observability-agent Helm chart in vendor-app. From my laptop, through the same cdx CLI your team uses. No kubeconfig on my machine.
Alex · helm
🤝
tunnel
Cloudanix JIT
scoped kubeconfig
eks-prod · vendor-app
scope granted edit · ns: vendor-app · 4h · SOW-204 · auto-expire today 
$ helm install observability-agent ./chart -n vendor-app
NAME: observability-agent
STATUS: deployed
REVISION: 1
NOTES:
  observability-agent is installed in ns/vendor-app
✓ Every API call stamped · alex@partner-co.com ⛔ Access ends 17:00 · no access tomorrow
scenario · SOC 2 audit · RBAC evidence
nadia (auditor) Need to capture ClusterRoleBindings, NetworkPolicies, and PSA labels across three prod clusters. Read-only, with a recording.
Nadia · kubectl
📋
tunnel
Cloudanix JIT
scoped kubeconfig
prod fleet · 3 clusters
scope granted view · all-ns · 1h · recorded · SOC2-AUD-22 
$ kubectl get clusterrolebindings -o wide | wc -l
47
$ kubectl get networkpolicies -A | wc -l
112
$ kubectl get ns -L pod-security.kubernetes.io/enforce
NAME         ENFORCE
payments     restricted
billing      baseline
✓ Evidence bundle exported · signed ⛔ Session recording → s3://audit-evidence/
works the same with EKS AKS GKE OpenShift Rancher k3s kOps Self-managed …any conformant Kubernetes
The model

Your engineer sees a cluster. You keep the bindings.

What the engineer sees
  • A one-click request in the Cloudanix console or Slack
  • Their normal kubectl, k9s, Lens or Helm, connected to the right cluster
  • A normal kubeconfig context, scoped to the role and namespace they were granted
  • No long-lived kubeconfig on their laptop. No bastion to SSH. Nothing to set up again tomorrow.
cdx k8s connect
What security keeps
  • The API server private, no new ingress, no VPN-with-cluster-admin
  • The RBAC you already wrote — JIT plugs into native EKS, AKS & GKE auth, no agent inside the cluster
  • A session tied to a real human, even when the assumed role is shared
  • Every kubectl, every exec, every Helm install — audit + recording in your S3 bucket
Governance & recordings stay in your cloud.
Session replay

Recordings, not just audit lines. Scrub any past session like a video.

Every JIT session — every kubectl, every helm install, every interactive exec — is captured as a replayable recording. Watch it in the Cloudanix console, download it for offline playback, or send a signed URL to your auditor.

recording · INC-7741 · eks-prod · 04:12 total 
[00:14] $ kubectl get pods -n payments
[00:32]   payments-7d6c9-abc1   0/1   CrashLoopBackOff
[01:07] $ kubectl logs -n payments payments-7d6c9-abc1 --tail=3
[01:08]   ERROR: connection pool exhausted
[02:21] $ kubectl rollout restart deploy/payments -n payments
[02:24]   deployment.apps/payments restarted
[03:02] $ kubectl get pods -n payments -w
[04:11] $ exit
02:14 / 04:12
stamped · priya@cloudanix.com cluster · eks-prod role · cluster-admin writes · 2 events

  • Watch in the console

    Every session lands as a replayable recording. Jump straight to the moment a delete ran or a Helm release was upgraded — no scrolling through thousand-line audit dumps.

  • Download for offline replay

    Pull the session bundle and play it back locally during an incident review — no console login required for the people in the war room.

  • 🔗

    Share with a signed URL

    Give a SOC 2 auditor timed access to one specific session. The link expires. The recording stays in your S3 bucket. Nothing copied, nothing leaked.

Client-native

Use the Kubernetes tools you already know.

Kubernetes JIT writes a normal kubeconfig context to localhost. If it speaks the Kubernetes API — kubectl, k9s, Lens, Headlamp, Helm, kustomize, or your IDE's Kubernetes plugin — it just works. No browser-based shell to learn.

kubectl
k9s
Lens · OpenLens
Headlamp
Helm
kustomize
VS Code · JetBrains plugin
Any kubeconfig-compatible client
What you get

Everything a compliant, auditable Kubernetes flow requires — none of the kubeconfig juggling your team hates.

📜

Zero standing kubeconfig

No long-lived ~/.kube/config on laptops. Minted per request, scoped, expires on a clock.

🎯

Cluster & namespace scope

Grant view / edit / admin / cluster-admin at cluster or namespace level — not god-mode every time.

🪪

Identity-stamped audit

Shared assumed roles stay shared. Every API call is still tied to a real human — the one your K8s audit log and SOC 2 evidence actually need.

Tiered approvals

Auto-approve view in one namespace. Escalate cluster-admin on prod to Slack or Teams. Tune the thresholds per cluster, per team.

🛡

Works on private clusters

Fully private EKS / AKS / GKE control planes — reached over an outbound tunnel to your own VPC / VNet. No VPN with cluster-admin baked in.

🧬

Native auth · no in-cluster agent

JIT plugs into the cluster's native auth — EKS access entries, Entra ID + Azure RBAC, GKE IAM. Nothing new to install inside the cluster.

🎥

Session recording in your S3

Every kubectl, every exec, every Helm install — replayable, with identity and timestamp. Recordings never leave your account unless you ask.

🧑‍💻

Any kubectl client, no lock-in

kubectl, k9s, Lens, Headlamp, Helm, kustomize, VS Code, JetBrains — engineers keep the tools they love.

🌐

One JIT for humans & agents

Same policy engine, same approval flow, same audit — whether the requester is a person, a CI/CD job, or an AI coding agent over MCP.

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo