Kubeconfigs & Service Accounts
RunWhen uses standard kubeconfig files to connect to Kubernetes clusters for discovery. There are two main patterns, and they can be combined.
Two ways to provide cluster access
Pattern 1 — Single kubeconfig with multiple contexts
Provide one kubeconfig file that contains a context for every cluster you want RunWhen to discover. RunWhen reads all contexts and applies your discovery configuration to each one. This is the recommended approach for self-managed or mixed environments.
cloudConfig: kubernetes: kubeconfigFile: /shared/kubeconfig # contains contexts for every cluster contexts: prod-cluster: defaultNamespaceLOD: detailed staging-cluster: defaultNamespaceLOD: basicPattern 2 — Cloud provider-generated kubeconfigs
When you configure Azure, GCP, or AWS discovery, RunWhen automatically generates a kubeconfig context for each managed Kubernetes cluster it finds (AKS, GKE, EKS). These are merged at runtime into your kubeconfigFile (if provided), so you do not need to manually extract credentials for cloud-managed clusters.
This means a single workspaceInfo.yaml can cover:
- Self-managed clusters (you supply the kubeconfig context)
- Cloud-managed clusters (RunWhen generates the context from your cloud credential)
See the Kubernetes Kubeconfig Setup guide for step-by-step instructions covering both patterns, merging multiple kubeconfig files, service account creation, and RBAC configuration.
Field reference
The kubernetes block in cloudConfig supports the following fields:
| Field | Description |
|---|---|
kubeconfigFile | Path to the kubeconfig file, resolved inside the container (typically /shared/kubeconfig) |
inClusterAuth | Boolean. Defaults to true — generates a cluster-viewer credential for the local cluster. Set to false when providing your own kubeconfig for external clusters. |
namespaces | Explicit list of namespaces to scan. If omitted, all namespaces are scanned subject to LOD settings. |
contexts | Map of per-context discovery configuration (see Kubernetes discovery). |
excludeAnnotations | Resource annotations that cause a resource to be skipped during discovery. |
excludeLabels | Resource labels that cause a resource to be skipped during discovery. |
Related
- Kubernetes Kubeconfig Setup guide — step-by-step for both patterns, merging kubeconfigs, and service account creation
- Kubernetes discovery configuration — contexts, LOD settings, and exclusion annotations
- Microsoft Azure discovery — AKS kubeconfig generation via SP or MI
- GCP discovery — GKE kubeconfig generation via service account
- AWS discovery — EKS kubeconfig generation via access key