kubectl mode

Kubectl mode gives each org member a kubeconfig for that org's Kubernetes namespace. It is not cluster-admin access: the credential is bound to a Role that only covers common app resources such as Deployments, Services, ConfigMaps, app Secrets, and PersistentVolumeClaims.

Capacity follows the same billing model as simple mode. Each subscribed dollarbox adds one pod, 1Gi memory, and 10Gi persistent storage to the namespace quota. Manage subscribed dollarboxes from Billing in the control panel; capacity cannot be lowered below containers that still exist, including failed containers until they are deleted. Creating workloads directly with kubectl can exhaust that quota and block later control-panel deploys until resources are deleted or capacity is increased.

Control-panel resources are labelled dollarbox.io/managed-by=control-panel and are read-only from kubectl. Services must be ClusterIP or IPv6-only LoadBalancer; NodePort, ExternalName, host-network pods, node selectors, and unapproved storage classes are rejected by Kubernetes admission policy.

Download the kubeconfig from the control panel after an org owner enables kubectl mode. If a kubeconfig is exposed, use Refresh credentials in the same tab to delete the old revocation Secret, download a replacement kubeconfig, and revoke existing kubeconfigs for that user immediately.