
Entitle + Kubernetes

Integration Highlights
On-demand rolebinding
Create RoleBinding/ClusterRoleBinding objects with a TTL for specific Roles/ClusterRoles; bindings are automatically garbage‑collected at expiry.
User-Session Attribution
Attribute kubectl activity to the requesting user and request ID for precise forensics even when access is temporary.
Namespace and Cluster Scoped Access
Constrain elevation to a namespace or to the whole cluster. Default‑deny cluster‑admin unless exceptional approvals are satisfied.
How it Works
An in‑cluster agent (or API access) applies namespace‑ or cluster‑scoped RBAC via RoleBinding/ClusterRoleBinding; the agent runs with minimal RBAC and network egress controls.
Bindings are annotated with request metadata and TTL; a controller cleans them up on expiry to prevent drift and standing privilege.
Kubectl activity during the window is attributed back to the requester, improving post‑incident forensics and access reviews
Want to see Entitle + Kubernetes live?

