# Authentication import { Aside } from '@astrojs/starlight/components'; The `kubetail` CLI tool uses your local **kubeconfig** file to authenticate against your Kubernetes clusters. In-cluster permissions are handled by cluster RBAC. --- ## Kubeconfig When you run a `kubetail` command that requires authentication (e.g. `kubetail serve`, `kubetail logs`), Kubetail reads your local kubeconfig file and uses the credentials defined there to connect to each cluster context. All standard kubeconfig credential types are supported: | Credential type | kubeconfig field(s) | |--------------------------|-------------------------------------------------------------| | Client certificate / key | `client-certificate`, `client-key` | | Bearer token | `token`, `tokenFile` | | Exec credential plugin | `exec` (e.g. `aws eks get-token`, `gke-gcloud-auth-plugin`) | | OIDC / auth-provider | `auth-provider` | Kubetail watches the kubeconfig file for changes and picks up new or updated contexts without a restart. --- ## RBAC permissions `kubtail` uses the permissions of the kubeconfig user. At a minimum, it needs read access to the resources it monitors: | Resource | API group | Verbs | |--------------|-----------|------------------| | cronjobs | batch | get, list, watch | | daemonsets | apps | get, list, watch | | deployments | apps | get, list, watch | | jobs | batch | get, list, watch | | namespaces | core | get, list, watch | | nodes | core | get, list, watch | | pods | core | get, list, watch | | pods/log | core | get, list, watch | | replicasets | apps | get, list, watch | | statefulsets | apps | get, list, watch | `kubetail` will automatically detect when a user only has access to a limited set of namespaces.