Skip to content

feat: add token support for kubectl commands#37

Merged
EItanya merged 10 commits intomainfrom
eitanya/kubectl-token-support
Feb 17, 2026
Merged

feat: add token support for kubectl commands#37
EItanya merged 10 commits intomainfrom
eitanya/kubectl-token-support

Conversation

@EItanya
Copy link
Contributor

@EItanya EItanya commented Dec 29, 2025
edited by iplay88keys
Loading

Some users of the kagent tool server want to be able to use client authentication for k8s tools. In order to enable this, the k8s tools will now attempt to pass Bearer tokens from the request into the kubectl commands.

Introduces helm values for configuring this:

# When true: pods use the default service account and no ClusterRole/ClusterRoleBinding are created.
# When false: a dedicated ServiceAccount and RBAC are created.
UseDefaultServiceAccount: false

tools:
  k8s:
    # When true: a Bearer token in the Authorization header on each request is passed to kubectl; fails if missing
    # When false: kubectl uses in-cluster ServiceAccount.
    tokenPassthrough: false

Testing

Defaults (matches current approach)

UseDefaultServiceAccount: false
tools:
  k8s:
    tokenPassthrough: false

Output:

time=2026-02-16T19:56:35.920Z level=INFO msg="executing command" trace_id=bd2fb0c590239cb8b183e60f4c0801bd span_id=7dcc9f5c919cb145 command=kubectl args="[get namespaces -o wide]"
time=2026-02-16T19:56:36.153Z level=INFO msg="command execution successful" trace_id=bd2fb0c590239cb8b183e60f4c0801bd span_id=7dcc9f5c919cb145 command=kubectl args="[get namespaces -o wide]" duration=0.233024001

Token passthrough + disable service account

UseDefaultServiceAccount: false
tools: 
  k8s:
    tokenPassthrough: false

With token:

time=2026-02-16T19:59:41.010Z level=INFO msg="executing command" trace_id=bd2fb0c590239cb8b183e60f4c0801bd span_id=ce0a811d4704fc88 command=kubectl args="[get namespaces -o wide --token <REDACTED>]"
time=2026-02-16T19:59:41.384Z level=INFO msg="command execution successful" trace_id=bd2fb0c590239cb8b183e60f4c0801bd span_id=ce0a811d4704fc88 command=kubectl args="[get namespaces -o wide --token <REDACTED>]" duration=0.374007129

Without token, the client receives:
Bearer token required when TOKEN_PASSTHROUGH is true

@EItanya
feat: add token support for kubectl commands
6fce5ac 
Signed-off-by: Eitan Yarmush <eitan.yarmush@solo.io>
@EItanya
use pre-v4 helm version
1e58fe4 
Signed-off-by: Eitan Yarmush <eitan.yarmush@solo.io>
@dimetron
Copy link
Collaborator

dimetron commented Jan 5, 2026
edited
Loading

@EItanya I have only concern if this will be consistent across all other tools

@EItanya
Copy link
Contributor Author

EItanya commented Jan 5, 2026

@EItanya I have only concern if this will be consistent across all other tools

I think that's fair, the issue is that not all CLIs allow for passing tokens in this way

@iplay88keys
Add configuration to disable service token automount
fbc804d 
Signed-off-by: Jeremy Alvis <jeremy.alvis@solo.io>
@iplay88keys iplay88keys force-pushed the eitanya/kubectl-token-support branch from 6f0cb36 to fbc804d Compare January 28, 2026 21:02
@iplay88keys
Remove automountServiceAccountToken config
564d31e 
Signed-off-by: Jeremy Alvis <jeremy.alvis@solo.io>
@iplay88keys
helm config for using default service account
a534160 
Signed-off-by: Jeremy Alvis <jeremy.alvis@solo.io>
@iplay88keys
Add tools.k8s.tokenPassthrough for requiring token from auth header
e51ecbd 
Signed-off-by: Jeremy Alvis <jeremy.alvis@solo.io>
@iplay88keys
Merge branch 'main' into eitanya/kubectl-token-support
cd050cc 
Signed-off-by: Jeremy Alvis <jeremy.alvis@solo.io>
@iplay88keys
Fix helm version
2757ebd 
Signed-off-by: Jeremy Alvis <jeremy.alvis@solo.io>
@iplay88keys
Remove automountServiceAccountToken from helm test
ad57725 
Signed-off-by: Jeremy Alvis <jeremy.alvis@solo.io>
@iplay88keys
Redact tokens
94d810e 
Signed-off-by: Jeremy Alvis <jeremy.alvis@solo.io>
@EItanya EItanya merged commit e4347f5 into main Feb 17, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dimetron dimetron dimetron approved these changes

+1 more reviewer

@sam-heilbron sam-heilbron sam-heilbron approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@EItanya @dimetron @sam-heilbron @iplay88keys