Skip to main content

kubectl escalate

kubectl escalate [flags]

Create a time-limited privilege escalation. Your identity is resolved via the Kubernetes SelfSubjectReview API — it cannot be supplied or forged via CLI arguments.

Cluster-wide (--namespace omitted) creates a ClusterRoleBinding. Namespace-scoped (--namespace <ns>) creates a RoleBinding.

Flags

FlagRequiredDescription
--to stringClusterRole (cluster-wide) or Role (namespace-scoped) to bind
--duration durationEscalation TTL, e.g. 1h, 30m, 90m
--reason stringHuman-readable justification (stored as annotation)
-n, --namespace stringScope to a RoleBinding; omit for cluster-wide ClusterRoleBinding
--kubeconfig stringPath to kubeconfig

Examples

# Cluster-wide escalation for 1 hour
kubectl escalate \
--to cluster-admin \
--duration 1h \
--reason "Deploying CNPG update"

# Namespace-scoped escalation for 30 minutes
kubectl escalate \
--to editor \
--namespace tenant-acme \
--duration 30m \
--reason "Fixing broken deployment"

Annotations written

The plugin writes the following annotations to the created binding:

AnnotationValue
kube-escalate/managed"true" (label)
kube-escalate/expires-atRFC3339 expiry timestamp
kube-escalate/requesterUsername from SelfSubjectReview
kube-escalate/reasonValue of --reason
kube-escalate/original-groupsOIDC groups from SelfSubjectReview