> ## Documentation Index
> Fetch the complete documentation index at: https://hoopdev-feat-new-runbook-parameters.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Kubernetes

> Manage Kubernetes resources through kubectl commands or native API access. This integration supports both CLI-based workflows and direct interaction with the Kubernetes API for full cluster control.

export const ConnectionTemplate = ({config}) => {
  const defaultConfig = {
    name: "Connection",
    description: "Connection description",
    coverImage: "",
    features: {
      tlsTerminationProxy: {
        native: false,
        oneOff: false
      },
      audit: {
        native: false,
        oneOff: false
      },
      dataMaskingGoogleDLP: {
        native: false,
        oneOff: false
      },
      dataMaskingMSPresidio: {
        native: false,
        oneOff: false
      },
      guardrails: {
        native: false,
        oneOff: false
      },
      credentialsOffload: {
        native: false,
        oneOff: false
      },
      interactiveAccess: {
        native: false,
        oneOff: false
      }
    }
  };
  const finalConfig = Object.assign({}, defaultConfig, config);
  const renderIcon = enabled => {
    return enabled ? <Icon icon="check" /> : <Icon icon="xmark" />;
  };
  return <div>
      <h2>Before you start</h2>
      <p>To get the most out of this guide, you will need to:</p>
      <ul>
        <li>Either <a href="https://use.hoop.dev">create an account in our managed instance</a> or <a href="/getting-started/installation/overview">deploy your own hoop.dev instance</a></li>
        <li>You must be your account administrator to perform the following commands</li>
      </ul>

      {finalConfig.requirements && <>
          <h2>Requirements</h2>
          <p>{finalConfig.requirements.description}</p>
          {finalConfig.requirements.items && <ul>
            {finalConfig.requirements.items.map(item => <li>{item}</li>)}
          </ul>}
        </>}

      <h2>Features</h2>
      <p>The table below outlines the features available for this type of connection.</p>

      <ul>
        <li><strong>Native</strong> - Accessible via a native connection using hoop as proxy protocol to the resource.</li>
        <li><strong>One Off</strong> - This term refers to accessing the resource from Hoop Web Console.</li>
      </ul>

      <table>
        <thead>
          <tr>
            <th>Feature</th>
            <th>Native</th>
            <th>One Off</th>
            <th>Description</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td>TLS Termination Proxy</td>
            <td>{renderIcon(finalConfig.features?.tlsTerminationProxy?.native)}</td>
            <td>{renderIcon(finalConfig.features?.tlsTerminationProxy?.oneOff)}</td>
            <td>The local proxy terminates the connection with TLS, enabling the connection with the remote server to be TLS encrypted.</td>
          </tr>
          <tr>
            <td>Audit</td>
            <td>{renderIcon(finalConfig.features?.audit?.native)}</td>
            <td>{renderIcon(finalConfig.features?.audit?.oneOff)}</td>
            <td>The gateway stores and audits the queries being issued by the client.</td>
          </tr>
          <tr>
            <td>Data Masking (Google DLP)</td>
            <td>{renderIcon(finalConfig.features?.dataMaskingGoogleDLP?.native)}</td>
            <td>{renderIcon(finalConfig.features?.dataMaskingGoogleDLP?.oneOff)}</td>
            <td>A policy can be enabled to mask sensitive fields dynamically when performing queries in the database.</td>
          </tr>
          <tr>
            <td>Data Masking (MS Presidio)</td>
            <td>{renderIcon(finalConfig.features?.dataMaskingMSPresidio?.native)}</td>
            <td>{renderIcon(finalConfig.features?.dataMaskingMSPresidio?.oneOff)}</td>
            <td>A policy can be enabled to mask sensitive fields dynamically when performing queries in the database.</td>
          </tr>
          <tr>
            <td>Guardrails</td>
            <td>{renderIcon(finalConfig.features?.guardrails?.native)}</td>
            <td>{renderIcon(finalConfig.features?.guardrails?.oneOff)}</td>
            <td>An intelligent layer of protection with smart access controls and monitoring mechanisms.</td>
          </tr>
          <tr>
            <td>Credentials Offload</td>
            <td>{renderIcon(finalConfig.features?.credentialsOffload?.native)}</td>
            <td>{renderIcon(finalConfig.features?.credentialsOffload?.oneOff)}</td>
            <td>The user authenticates via SSO instead of using database credentials.</td>
          </tr>
          <tr>
            <td>Interactive Access</td>
            <td>{renderIcon(finalConfig.features?.interactiveAccess?.native)}</td>
            <td>{renderIcon(finalConfig.features?.interactiveAccess?.oneOff)}</td>
            <td>Interactive access is available when using an IDE or connecting via a terminal to perform analysis exploration.</td>
          </tr>
        </tbody>
      </table>

      {finalConfig.resourceConfiguration?.credentials && <>
      <h2>Configuration</h2>
      <table>
        <thead>
          <tr>
            <th>Name</th>
            <th>Type</th>
            <th>Required</th>
            <th>Description</th>
          </tr>
        </thead>
        <tbody>
          {Object.entries(finalConfig.resourceConfiguration.credentials).map(([key, credential]) => {
    if (typeof credential === 'string' || credential.hidden) return null;
    return <tr key={key}>
                <td>{credential.name}</td>
                <td>{credential.type}</td>
                <td>{credential.required ? 'yes' : 'no'}</td>
                <td>
                  {credential.description?.split(/(\[[^\]]+\]\([^)]+\))/).map((part, index) => {
      const linkMatch = part.match(/\[([^\]]+)\]\(([^)]+)\)/);
      if (linkMatch) {
        return <a key={index} href={linkMatch[2]} target="_blank" rel="noopener noreferrer">{linkMatch[1]}</a>;
      }
      return part;
    })}
                </td>
              </tr>;
  }).filter(Boolean)}
        </tbody>
      </table>
      </>}
    </div>;
};

<ConnectionTemplate
  config={{
"id": "kubernetes-token",
"name": "Kubernetes",
"description": "Manage Kubernetes resources through kubectl commands or native API access. This integration supports both CLI-based workflows and direct interaction with the Kubernetes API for full cluster control.",
"category": "cloud-services",
"icon-name": "kubernetes",
"tags": [
"containers",
"cli"
],
"overview": {
"description": "Manage Kubernetes resources through kubectl commands or native API access. This integration supports both CLI-based workflows and direct interaction with the Kubernetes API for full cluster control."
},
"setupGuide": {
"accessMethods": {
  "webapp": true,
  "cli": true,
  "runbooks": true
}
},
"resourceConfiguration": {
"credentials": [
  {
    "type": "env-var",
    "required": false,
    "name": "KUBERNETES_CLUSTER_URL",
    "description": "The Kubernetes API Server URL. Defaults to in cluster value\nhttps://kubernetes.default.svc.cluster.local",
    "placeholder": "https://kubernetes.default.svc.cluster.local"
  },
  {
    "type": "env-var",
    "required": false,
    "name": "KUBERNETES_INSECURE_SKIP_VERIFY",
    "description": "Controls whether a client verifies the server's certificate chain and host name. If is true, it accepts any certificate presented by the server and any host name in that certificate. Defaults to false if no value is provided.",
    "placeholder": "true"
  },
  {
    "type": "env-var",
    "required": false,
    "name": "KUBERNETES_BEARER_TOKEN",
    "description": "The bearer token to authenticate with Kubernetes. It defaults reading the token from the service account when running inside the Kubernetes cluster.",
    "placeholder": "Bearer <k8s-bearer-token>"
  }
],
"type": "custom",
"subtype": "kubernetes",
"command": [
  "bash"
]
},
"features": {
"tlsTerminationProxy": {
  "native": true,
  "oneOff": true
},
"audit": {
  "native": true,
  "oneOff": true
},
"dataMaskingGoogleDLP": {
  "native": false,
  "oneOff": false
},
"dataMaskingMSPresidio": {
  "native": true,
  "oneOff": true
},
"guardrails": {
  "native": true,
  "oneOff": true
},
"credentialsOffload": {
  "native": true,
  "oneOff": true
},
"interactiveAccess": {
  "native": true,
  "oneOff": true
}
},
"documentationConfig": {
"path": "quickstart/cloud-services/kubernetes/kubernetes"
}
}}
/>

## Service Account Setup

1. Generate an service account

```sh theme={null}
kubectl create serviceaccount mysa -n hoopdev
```

2. Create a new token

```sh theme={null}
kubectl create token mysa -n hoopdev
```

3. Assign RBAC permissions

```sh theme={null}
kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: mysa-role
  namespace: hoopdev
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: mysa-binding
  namespace: hoopdev
subjects:
  - kind: ServiceAccount
    name: mysa
    namespace: hoopdev
roleRef:
  kind: Role
  name: mysa-role
  apiGroup: rbac.authorization.k8s.io
EOF
```

Now the Hoop resource will have access to:

* List Pods
* Get Pods
* Watch Pods