{"id":40244444,"url":"https://github.com/telekom/k8s-breakglass","last_synced_at":"2026-02-17T12:04:33.646Z","repository":{"id":322803536,"uuid":"823568229","full_name":"telekom/k8s-breakglass","owner":"telekom","description":"Temporary privilege elevation for Kubernetes.","archived":false,"fork":false,"pushed_at":"2026-01-30T00:11:39.000Z","size":5025,"stargazers_count":17,"open_issues_count":2,"forks_count":5,"subscribers_count":5,"default_branch":"main","last_synced_at":"2026-01-30T08:57:16.132Z","etag":null,"topics":["apache-2-0-license","elevation","golang","k8s","k8s-cluster","kubernetes","privilege","privilege-escalation-system","rbac","role-based-access-control"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/telekom.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSES/Apache-2.0.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-07-03T09:24:44.000Z","updated_at":"2026-01-29T21:11:22.000Z","dependencies_parsed_at":null,"dependency_job_id":"444ea663-f32c-46d9-820b-6a34ff53de05","html_url":"https://github.com/telekom/k8s-breakglass","commit_stats":null,"previous_names":["telekom/k8s-breakglass"],"tags_count":25,"template":false,"template_full_name":null,"purl":"pkg:github/telekom/k8s-breakglass","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telekom%2Fk8s-breakglass","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telekom%2Fk8s-breakglass/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telekom%2Fk8s-breakglass/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telekom%2Fk8s-breakglass/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/telekom","download_url":"https://codeload.github.com/telekom/k8s-breakglass/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telekom%2Fk8s-breakglass/sbom","scorecard":{"id":1239516,"data":{"date":"2025-11-06T11:21:54Z","repo":{"name":"github.com/telekom/k8s-breakglass","commit":"97f39ee3a45dfe5b2d3fe40b64ca5c5a42420f03"},"scorecard":{"version":"v5.0.0","commit":"ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"},"score":6,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":8,"reason":"24 out of 29 merged PRs checked by a CI test -- score normalized to 8","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":3,"reason":"Found 7/19 approved changesets -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review"}},{"name":"Contributors","score":10,"reason":"project has 3 contributing companies or organizations -- score normalized to 10","details":["Info: telekom contributor org/company found, deutsche telekom ag @telekom contributor org/company found, mobica contributor org/company found, "],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENCE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENCE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/ci.yml:51"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":1,"reason":"dependency not pinned by hash detected -- score normalized to 1","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:92: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:117: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:126: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:133: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/dependency-review.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/dependency-review.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/dependency-review.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ort.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/ort.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ort.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/ort.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-chart.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/release-chart.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-chart.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/release-chart.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-chart.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/release-chart.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-chart.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/release-chart.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:116: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:152: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/security.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/security.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/security.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/security.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/telekom/k8s-breakglass/security.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1","Warn: containerImage not pinned by hash: Dockerfile:12","Warn: containerImage not pinned by hash: Dockerfile:37: pin your Docker image by updating gcr.io/distroless/static:nonroot to gcr.io/distroless/static:nonroot@sha256:e8a4044e0b4ae4257efa45fc026c0bc30ad320d43bd4c1a7d5271bd241e386d0","Info:   4 out of  20 GitHub-owned GitHubAction dependencies pinned","Info:   2 out of  22 third-party GitHubAction dependencies pinned","Info:   0 out of   3 containerImage dependencies pinned","Info:   1 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":7,"reason":"SAST tool is not run on all commits -- score normalized to 7","details":["Warn: 23 commits out of 29 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.0.5 not signed: https://api.github.com/repos/telekom/k8s-breakglass/releases/259875557","Warn: release artifact v0.0.4 not signed: https://api.github.com/repos/telekom/k8s-breakglass/releases/258540528","Warn: release artifact v0.0.3 not signed: https://api.github.com/repos/telekom/k8s-breakglass/releases/258515699","Warn: release artifact v0.0.5 does not have provenance: https://api.github.com/repos/telekom/k8s-breakglass/releases/259875557","Warn: release artifact v0.0.4 does not have provenance: https://api.github.com/repos/telekom/k8s-breakglass/releases/258540528","Warn: release artifact v0.0.3 does not have provenance: https://api.github.com/repos/telekom/k8s-breakglass/releases/258515699"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:56","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release-chart.yml:16","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/release-chart.yml:17","Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:11","Warn: topLevel 'packages' permission set to 'write': .github/workflows/ci.yml:12","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:8","Info: topLevel permissions set to 'read-all': .github/workflows/openssf-scorecard.yml:25","Info: topLevel 'contents' permission set to 'read': .github/workflows/ort.yml:3","Warn: no topLevel permission defined: .github/workflows/release-chart.yml:1","Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:10","Warn: topLevel 'packages' permission set to 'write': .github/workflows/release.yml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/reuse-compliance.yml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/security.yml:3"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-11-06T13:21:06.827Z","repository_id":322803536,"created_at":"2025-11-06T13:21:06.834Z","updated_at":"2025-11-06T13:21:06.834Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29084089,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-04T03:31:03.593Z","status":"ssl_error","status_checked_at":"2026-02-04T03:29:50.742Z","response_time":62,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apache-2-0-license","elevation","golang","k8s","k8s-cluster","kubernetes","privilege","privilege-escalation-system","rbac","role-based-access-control"],"created_at":"2026-01-20T00:06:50.866Z","updated_at":"2026-02-17T12:04:33.640Z","avatar_url":"https://github.com/telekom.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kubernetes Breakglass\n\n[![](https://img.shields.io/badge/license-Apache%20License%202.0-blue)](https://img.shields.io/badge/license-Apache%20License%202.0-blue)\n[![REUSE Compliance Check](https://github.com/telekom/k8s-breakglass/actions/workflows/reuse-compliance.yml/badge.svg)](https://github.com/telekom/k8s-breakglass/actions/workflows/reuse-compliance.yml)\n[![OpenSSF Scorecard Score](https://api.scorecard.dev/projects/github.com/telekom/k8s-breakglass/badge)](https://scorecard.dev/viewer/?uri=github.com/telekom/k8s-breakglass)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/11553/badge)](https://www.bestpractices.dev/projects/11553)\n[![codecov](https://codecov.io/github/telekom/k8s-breakglass/graph/badge.svg?token=OJLpw2PNDW)](https://codecov.io/github/telekom/k8s-breakglass)\n\n**Kubernetes Breakglass** is a secure, auditable privilege escalation system for Kubernetes clusters. It enables users to request temporary elevated access through a structured approval workflow, with real-time webhook integration for immediate Kubernetes RBAC enforcement.\n\n## 🎯 Key Features\n\n- **Request-Approval Workflow** - Users request access, approvers review and grant temporary privileges\n- **Real-time Authorization Webhook** - Integrated with Kubernetes' authorization system for immediate enforcement\n- **Time-Bounded Access** - Sessions expire automatically after configured duration\n- **Audit Trail** - Full history of requests, approvals, and access events\n- **Audit Sinks** - Kafka/webhook/log/Kubernetes audit outputs via `AuditConfig`\n- **Flexible Authorization** - Define escalations, approvers, and access restrictions using Kubernetes CRDs\n- **Multi-Cluster Support** - Centralized hub manages access across multiple spoke clusters\n- **OIDC/JWT Authentication** - Integrates with identity providers like Keycloak and Azure AD\n- **Web UI, CLI \u0026 REST API** - User-friendly web interface, `bgctl` command-line tool, and programmatic access\n- **Command-Line Interface (`bgctl`)** - Terminal-based access for automation and scripting\n- **Debug Sessions** - Time-bounded debug pods and kubectl-debug workflows\n- **Automatic Cluster Cache Invalidation** - Watches ClusterConfig and kubeconfig Secret changes to refresh connectivity instantly\n- **Rich Prometheus Signals** - API endpoints expose dedicated request/error/duration metrics for fine-grained SLOs\n\n## Architecture\n\n**Components:**\n\n- **Backend Service** - Go REST API server with Kubernetes webhook support\n- **Frontend** - TypeScript/Vue web application for request management\n- **CLI Tool (`bgctl`)** - Command-line interface for automation and terminal access\n- **Custom Resources** - Configuration and persistence via Kubernetes CRDs:\n  - `BreakglassEscalation` - Define available privilege escalations\n  - `BreakglassSession` - Track active sessions\n  - `ClusterConfig` - Configure managed clusters\n  - `DenyPolicy` - Restrict access by policy\n  - `AuditConfig` - Configure audit sinks (Kafka, webhook, log, Kubernetes)\n  - `IdentityProvider` - OIDC provider configuration and group sync\n  - `MailProvider` - Email notification configuration\n  - `DebugSession` - Debug session lifecycle\n  - `DebugSessionTemplate` - Debug session templates\n  - `DebugSessionClusterBinding` - Delegate template access to teams and clusters\n  - `DebugPodTemplate` - Debug pod templates\n\n**Design:** Hub-and-spoke topology where a central breakglass service manages temporary access for multiple Kubernetes clusters.\n\n## 📚 Documentation\n\nComplete documentation is available in the [docs/](./docs/) directory:\n\n**Getting Started:**\n\n- **[Quick Start](./docs/quickstart.md)** - Get running in 5 minutes\n- **[Installation](./docs/installation.md)** - Complete step-by-step installation guide\n- **[Building](./docs/building.md)** - Build from source and run tests\n\n**Resources \u0026 Configuration:**\n\n- **[IdentityProvider](./docs/identity-provider.md)** - **MANDATORY** - Configure OIDC authentication for users\n- **[BreakglassEscalation](./docs/breakglass-escalation.md)** - Define available privilege escalations\n- **[BreakglassSession](./docs/breakglass-session.md)** - Session lifecycle and state management\n- **[ClusterConfig](./docs/cluster-config.md)** - Configure managed clusters\n- **[DenyPolicy](./docs/deny-policy.md)** - Create access restrictions and policies\n- **[AuditConfig](./docs/audit-config.md)** - Configure audit sinks (Kafka, webhooks, logs)\n- **[MailProvider](./docs/mail-provider.md)** - Email notification configuration\n- **[Debug Session](./docs/debug-session.md)** - Debug sessions and templates\n\n**Integration \u0026 Advanced Topics:**\n\n- **[Webhook Setup](./docs/webhook-setup.md)** - Integrate with Kubernetes authorization\n- **[CLI Tool (bgctl)](./docs/cli.md)** - Command-line interface for terminal access and automation\n- **[API Reference](./docs/api-reference.md)** - REST API endpoints and examples\n- **[Metrics](./docs/metrics.md)** - Prometheus metrics, alerting, and dashboards\n- **[Advanced Features](./docs/advanced-features.md)** - Request reasons, approval reasons, self-approval prevention, domain restrictions\n- **[Troubleshooting](./docs/troubleshooting.md)** - Common issues and solutions\n\n## 🤝 Contributing\n\nPlease read [CONTRIBUTING.md](CONTRIBUTING.md) for contribution requirements, testing policy, and review expectations.\n\n## 📦 Example Assets\n\n- **[DenyPolicy examples](./config/deny-policy-examples.yaml)** - Ready-to-use templates covering exfiltration, operational safety, and compliance controls\n\n## ⚙️ Configuration\n\nThe application is configured via a `config.yaml` file. See [`config.example.yaml`](./config.example.yaml) for a complete example.\n\n**Core Configuration:**\n\n```yaml\nserver:\n  listenAddress: :8080\n  tlsCertFile: /etc/tls/cert.crt      # optional\n  tlsKeyFile: /etc/tls/key.key        # optional, for HTTPS\n\nfrontend:\n  baseURL: https://breakglass.example.com\n  brandingName: \"My Breakglass\"       # optional\n  uiFlavour: \"oss\"                    # optional: \"oss\", \"telekom\", or \"neutral\"\n\nkubernetes:\n  context: \"\"                         # kubectl config context (empty = default)\n  oidcPrefixes:                       # Prefixes to strip from OIDC groups\n    - \"keycloak:\"\n    - \"oidc:\"\n```\n\n**Notes:**\n\n- **OIDC/IDP authentication** is managed via **IdentityProvider CRDs**. See [Identity Provider documentation](docs/identity-provider.md) for details.\n- **Email notifications** are managed via **MailProvider CRDs**. See [Mail Provider documentation](docs/mail-provider.md) for details.\n- Email notifications can be disabled with `--disable-email` when MailProvider is not configured.\n\n### OIDC Group Prefix Handling\n\nWhen users authenticate via OIDC providers like Keycloak, groups often include provider-specific prefixes (e.g., `keycloak:admin`, `oidc:developers`). Kubernetes RBAC typically uses clean group names (e.g., `admin`, `developers`).\n\nThe `oidcPrefixes` configuration automatically strips these prefixes when matching user groups to escalation rules.\n\n**Example Flow:**\n\n| Step | Value |\n|------|-------|\n| 1. User's OIDC groups | `[\"keycloak:admin\", \"keycloak:developers\"]` |\n| 2. After prefix stripping | `[\"admin\", \"developers\"]` |\n| 3. Matched against escalations | Uses clean names like `admin` |\n\nThis ensures escalation policies reference clean group names, independent of the OIDC provider.\n\n## 🚀 Deployment\n\n### Quick Start\n\nGet breakglass running in 5 minutes with the dev deployment:\n\n```bash\n# Deploy to local kind cluster with Keycloak and MailHog\nmake docker-build-dev                   # build dev image\nkind create cluster                     # create local kind cluster\nkind load docker-image breakglass:dev   # load dev image into kind cluster\nmake install                            # install CRDs\nmake deploy_dev                         # deploy breakglass and dependencies\n\n# Access the application\n# Breakglass UI:  https://breakglass-dev:30081\n# Keycloak:       https://breakglass-dev:30083\n# MailHog:        http://breakglass-dev:30084\n```\n\nFor production deployment, see the [Installation Guide](./docs/installation.md).\n\n### Production Deployment\n\n```bash\n# Edit configuration\ncp config.example.yaml config/base/config.yaml\n# ... customize settings ...\n\n# Deploy CRDs, RBAC, and application\nmake deploy\n```\n\nSee [Installation Guide](./docs/installation.md) and [Deployment Targets](./docs/deployment-targets.md) for detailed setup steps.\n\n### Building from Source\n\n**OSS Flavour (Recommended):**\n\n```bash\n# Build backend and OSS UI\ndocker build -t breakglass:latest .\n\n# Or build just the backend\ngo build -o bin/breakglass ./cmd/...\n```\n\n**UI Customization:**\n\nThe frontend uses the [telekom/scale](https://github.com/telekom/scale) framework. See its [theming documentation](https://telekom.github.io/scale/?path=/docs/guidelines-customization-and-themes--page) for customization options.\n\n#### ⚠️ Telekom UI Flavour\n\nThe Telekom branded UI (`UI_FLAVOUR=telekom`) is proprietary to Deutsche Telekom and **must NOT be used outside Deutsche Telekom entities**.\n\n- Contains proprietary Deutsche Telekom branding and customizations\n- Unauthorized use violates Deutsche Telekom's intellectual property rights\n- All non-Telekom organizations must use the OSS flavour (default)\n- The OSS flavour is fully functional and appropriate for all organizations\n\n## 🔗 Webhook Integration\n\nThe authorization webhook enables real-time enforcement of breakglass sessions. When a user attempts an action on a managed cluster, the webhook is called to determine if they have an active session granting the requested access.\n\n**Setup Overview:**\n\n1. Configure the cluster's API server to use the breakglass webhook as an authorization plugin\n2. Create webhook kubeconfig pointing to the breakglass service\n3. Create `ClusterConfig` resource defining the cluster relationship\n\nSee [Webhook Setup Guide](./docs/webhook-setup.md) for complete configuration instructions.\n\n**API Server Configuration Example:**\n\n```yaml\napiVersion: apiserver.config.k8s.io/v1beta1\nkind: AuthorizationConfiguration\nauthorizers:\n  - type: Node\n    name: node\n  - type: RBAC\n    name: rbac\n  - type: Webhook\n    name: breakglass\n    webhook:\n      unauthorizedTTL: 30s\n      timeout: 3s\n      failurePolicy: Deny\n      connectionInfo:\n        type: KubeConfigFile\n        kubeConfigFile: /etc/kubernetes/breakglass-authz.kubeconfig\n```\n\n## 📖 Custom Resources\n\n### BreakglassEscalation\n\nDefines available privilege escalations for users. Specifies target groups, approvers, and constraints.\n\n- **Example:** \"Allow developers to request temporary cluster-admin access for 2 hours\"\n- **Approvers:** Can be individuals or groups\n- **Constraints:** Max duration, request reasons, self-approval policy\n\nSee [BreakglassEscalation Documentation](./docs/breakglass-escalation.md) for details.\n\n### BreakglassSession\n\nRepresents an active or historical privilege escalation request. Tracks state through the approval workflow.\n\n- **Lifecycle:** Pending → Approved/Rejected → Expired/Withdrawn\n- **Audit Trail:** Request time, approver, reason, expiration\n- **Managed by:** Breakglass API (users don't create directly)\n\nSee [BreakglassSession Documentation](./docs/breakglass-session.md) for details.\n\n### ClusterConfig\n\nConfigures a managed cluster's relationship to the breakglass hub.\n\n- **Purpose:** Define cluster identity and webhook endpoint\n- **Usage:** Connect managed clusters to the central breakglass service\n\nSee [ClusterConfig Documentation](./docs/cluster-config.md) for details.\n\n### DenyPolicy\n\nRestrict access across clusters and namespaces based on resource attributes.\n\n- **Example:** \"Deny access to secrets namespace\"\n- **Scope:** Cluster-wide or tenant-scoped\n- **Precedence:** Evaluated before escalations\n\nSee [DenyPolicy Documentation](./docs/deny-policy.md) for details.\n\n## Code of Conduct\n\nThis project has adopted the [Contributor Covenant](https://www.contributor-covenant.org/) in version 2.1 as our code of conduct. Please see the details in our [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md). All contributors must abide by the code of conduct.\n\nBy participating in this project, you agree to abide by its [Code of Conduct](./CODE_OF_CONDUCT.md) at all times.\n\n## License\n\nCopyright (c) Deutsche Telekom AG\n\nAll content in this repository is licensed under at least one of the licenses found in [./LICENSES](./LICENSES); you may not use this file, or any other file in this repository, except in compliance with the Licenses.\nYou may obtain a copy of the Licenses by reviewing the files found in the [./LICENSES](./LICENSES) folder.\n\nUnless required by applicable law or agreed to in writing, software distributed under the Licenses is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See in the [./LICENSES](./LICENSES) folder for the specific language governing permissions and limitations under the Licenses.\n\nThis project follows the [REUSE standard for software licensing](https://reuse.software/). Each file contains copyright and license information, and license texts can be found in the [./LICENSES](./LICENSES) folder. For more information, visit [https://reuse.software/](https://reuse.software/).\n\nYou can find a guide for developers at [https://telekom.github.io/reuse-template/](https://telekom.github.io/reuse-template/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftelekom%2Fk8s-breakglass","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftelekom%2Fk8s-breakglass","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftelekom%2Fk8s-breakglass/lists"}