This guide explains how to access a Kubernetes cluster through Hoop using a Kubernetes Service Account token, with full SSO enforcement, Just-In-Time access, and complete auditability.
You can use this method with the Kubernetes API or with kubectl.

1. Create a Service Account

kubectl create serviceaccount my-sa -n my-namespace

2. Generate a Service Account Token

Create a Kubernetes Secret that holds the token:

apiVersion: v1
kind: Secret
metadata:
  name: my-sa-token
  namespace: my-namespace
  annotations:
    kubernetes.io/service-account.name: my-sa
type: kubernetes.io/service-account-token

Apply the Secret:

kubectl apply -f sa-token.yaml

Extract the token:

kubectl -n my-namespace get secret my-sa-token \
  -o jsonpath='{.data.token}' | base64 -d

You will use this token inside the Hoop HTTP connection.

3. Assign RBAC Permissions

The following example grants read-only access to pods:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: my-namespace
  name: my-sa-role
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: my-sa-binding
  namespace: my-namespace
subjects:
  - kind: ServiceAccount
    name: my-sa
    namespace: my-namespace
roleRef:
  kind: Role
  name: my-sa-role
  apiGroup: rbac.authorization.k8s.io

Apply the RBAC rules:

kubectl apply -f rbac.yaml

4. Configure the Hoop HTTP Connection

In Hoop, create an HTTP connection pointing to your Kubernetes API server.

Example connection configuration:

• URL:https://<your-kubernetes-api-endpoint>
  
• Allow insecure SSL:
  ✔ Enable if your cluster uses self-signed certificates.
• Header injection:Authorization: Bearer <SERVICE_ACCOUNT_TOKEN>
  

Hoop will automatically inject this header into every request, ensuring consistent Kubernetes authentication.

5. Start a Hoop Session (Local Proxy)

hoop connect <connection-name>

This creates a local proxy endpoint, for example:

http://127.0.0.1:8081

All authenticated Kubernetes traffic will flow through this local port.

6. Configure kubectl to Use Hoop

Create or update your kubeconfig:

apiVersion: v1
clusters:
- cluster:
    server: http://127.0.0.1:8081
    insecure-skip-tls-verify: true
  name: hoop-k8s

contexts:
- name: hoop-context
  context:
    cluster: hoop-k8s

current-context: hoop-context

No user or token is needed in the kubeconfig — Hoop handles authentication via the injected header.

7. Use kubectl Normally

kubectl get pods
kubectl get namespaces
kubectl describe pod <name>

Everything runs through Hoop with SSO-protected, audited access.

8. Call the Kubernetes API Through Hoop

Example:

curl http://127.0.0.1:8081/api

List pods:

curl http://127.0.0.1:8081/api/v1/namespaces/my-namespace/pods

Hoop injects the Service Account token on your behalf.

Why Use Hoop for Kubernetes Access?

✔ SSO-Protected Access

All users authenticate through your identity provider (Okta, Google Workspace, Azure AD, etc.).
They never see the Kubernetes token.

✔ Just-In-Time Access Control

Sessions can require approval.
The Service Account token is only usable inside Hoop — never directly from user machines.

✔ Zero Credential Exposure

Developers use kubectl normally.
Hoop manages authentication securely behind the scenes.

✔ Full Audit Trail

Every request is logged with user identity, request path, method, timestamp, and session metadata.

✔ Works with Any Kubernetes Distribution

EKS, GKE, AKS, OpenShift, K3s, Kind, on-prem clusters, and more.