All posts
ConceptsOctober 16, 20251 min read

Kubectl Query-Level Approval

Kubectl Query-Level Approval is the control layer that makes sure only the right commands run in Kubernetes. It’s not about slowing work down. It’s about knowing exactly who triggered what, when, and why. In fast-moving environments, one wrong query can delete pods, drop data, or expose secrets. Query-Level Approval adds a checkpoint before any kubectl operation reaches the API server. With query-level rules, approval happens in real time. The system intercepts each kubectl action—get, apply, d

Free White Paper

Approval Chains & Escalation + Database Query Logging: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Kubectl Query-Level Approval is the control layer that makes sure only the right commands run in Kubernetes. It’s not about slowing work down. It’s about knowing exactly who triggered what, when, and why. In fast-moving environments, one wrong query can delete pods, drop data, or expose secrets. Query-Level Approval adds a checkpoint before any kubectl operation reaches the API server.

With query-level rules, approval happens in real time. The system intercepts each kubectl action—get, apply, delete, exec—and checks it against a predefined policy. Those policies are more granular than role-based access control (RBAC), which works at resource and verb levels. Query-Level Approval evaluates the actual command: namespace targeted, resource name pattern, label selectors, even query parameters. If it doesn’t match rules, it pauses and waits for approval from a designated reviewer.

This control solves a critical gap. RBAC stops certain commands outright, but once a user has permissions, RBAC won’t stop questionable queries. Query-Level Approval bridges that hole by adding dynamic, situational checks—the kind you can update daily without touching permanent permissions.

Continue reading? Get the full guide.

Approval Chains & Escalation + Database Query Logging: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

For example:

  • Only allow kubectl delete on deployments in staging, never in production.
  • Require a second approver for commands touching stateful sets.
  • Block exec into pods with sensitive labels unless explicitly approved.

The workflow stays lean. An engineer runs the command, the system flags it, and an approver confirms with a single action. Once approved, kubectl runs normally. Every decision is logged, creating an auditable trail of who approved what and when.

Implementing Kubectl Query-Level Approval reduces risk while keeping delivery speed. It embodies least privilege without constant config rewrites. When the cluster is your backbone, a small gate at the query level protects everything behind it.

See how Query-Level Approval works in practice on hoop.dev. Deploy it, connect your cluster, and watch it intercept and approve kubectl queries in minutes.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts