How to securely pass cluster credentials to kubectl 1.11+




Say I was a little worried about having the credentials to a production Kubernetes cluster saved in a kubeconfig file. What methods are there to allow for one to securely pass credentials one time to a kubectl command?

Although it doesn’t work in from versions 1.11+, my old team would load up the kubeconfig yml on the fly using process substitution - which looked something like this:

kubectl --kubeconfig <(generate kubeconfig file with relevant secrets)

One could also use the --username and --password options that could be added to any kubectl command but they seem to have been stripped from versions 1.11+.

In all documentation the suggestion is only to use the kubectl config set commands to build up a local config file and stores passwords as plain text.

So again, given that these techniques no longer seem to work with the latest version of kubectl, what are the best practises to loading secret cluster credentials to kubetcl, secretly? Does the fact that we’re in the situation mean that we’re handling cluster access credentials all wrong?

Thanks in advance