Sign in Subscribe
Concepts

Kubectl Query-Level Approval

Andrios Robert

1 min read

Kubectl Query-Level Approval is the control layer that makes sure only the right commands run in Kubernetes. It’s not about slowing work down. It’s about knowing exactly who triggered what, when, and why. In fast-moving environments, one wrong query can delete pods, drop data, or expose secrets. Query-Level Approval adds a checkpoint before any kubectl operation reaches the API server.

With query-level rules, approval happens in real time. The system intercepts each kubectl action—get, apply, delete, exec—and checks it against a predefined policy. Those policies are more granular than role-based access control (RBAC), which works at resource and verb levels. Query-Level Approval evaluates the actual command: namespace targeted, resource name pattern, label selectors, even query parameters. If it doesn’t match rules, it pauses and waits for approval from a designated reviewer.

This control solves a critical gap. RBAC stops certain commands outright, but once a user has permissions, RBAC won’t stop questionable queries. Query-Level Approval bridges that hole by adding dynamic, situational checks—the kind you can update daily without touching permanent permissions.

For example:

  • Only allow kubectl delete on deployments in staging, never in production.
  • Require a second approver for commands touching stateful sets.
  • Block exec into pods with sensitive labels unless explicitly approved.

The workflow stays lean. An engineer runs the command, the system flags it, and an approver confirms with a single action. Once approved, kubectl runs normally. Every decision is logged, creating an auditable trail of who approved what and when.

Implementing Kubectl Query-Level Approval reduces risk while keeping delivery speed. It embodies least privilege without constant config rewrites. When the cluster is your backbone, a small gate at the query level protects everything behind it.

See how Query-Level Approval works in practice on hoop.dev. Deploy it, connect your cluster, and watch it intercept and approve kubectl queries in minutes.