Some environments and workflows require programmatic or terminal-only access to Kubernetes clusters without relying on browser-based authentication. This is particularly important for CI/CD pipelines, remote systems without a graphical interface, or users working over SSH.
By default, our platform uses OIDC-based authentication, which prompts a login flow through your local browser. While this approach is secure and user-friendly for interactive sessions, it isn't always suitable for automated or headless environments.
We provide headless access via a Kubernetes Service Account token. This approach bypasses the OIDC browser flow and enables direct access through a generated kubeconfig file.
The service account we expose is the same one used by GitOps tools that needs to make changes to the Management Cluster. By reusing this account, you gain authenticated, stable, and non-interactive access without managing user credentials.
You can generate a kubeconfig from this account with the following command:
This will create a syself-headless-kubeconfig.yaml file you can use with tools like kubectl, helm, or in CI/CD pipelines:
This is a persistent token. Unlike OIDC flows that expire and require reauthentication, a service account token does not expire unless manually revoked.
Treat the token like a password. Anyone with access to this kubeconfig has the same permissions as the service account. Store it securely and avoid committing it to version control.
Prefer OIDC for human users. This headless access method is best suited for automation. For human users, browser-based login remains the safest and most auditable path.