Skip to main content
Crusoe Support Help Center home page
Crusoe

How-To: Enable Support Access on Your CMK Cluster (For Faster Incident Response)

Rishabh Sinha
Rishabh Sinha
Updated

Introduction

When Crusoe Support reaches out about an alert on your Crusoe Managed Kubernetes (CMK) cluster — for example, a 'CMK Node Not Ready' alert — our engineers cannot diagnose the cluster directly until you enable support access. Support access is disabled by default on all clusters. Enabling it ahead of time, or as soon as you're notified, significantly reduces time-to-resolution. This article covers the minimum steps to enable support access.

For role details, advanced options, and immediate revocation, see the Crusoe Cloud Docs: Support Access page.

Prerequisites

  • Crusoe CLI Installed and Authenticated
  • Helm Installed (For Existing Clusters)
  • Cluster Admin Access

Instructions

Step 1: Check Whether the Support Roles Helm Chart Is Already Installed

Run the following command against your cluster:

helm list --namespace crusoe-system

Output:

NAME                    NAMESPACE        REVISION    UPDATED                                    STATUS      CHART                         APP VERSION
crusoe-support-roles    crusoe-system    1           2026-06-03 14:40:41.25813 +0100 IST        deployed    crusoe-support-roles-0.1.1    v0.1.1
crusoe-watch-agent      crusoe-system    1           2026-04-09 01:32:47.717354775 +0000 UTC    deployed    crusoe-watch-agent-0.3.7

If you see crusoe-support-roles in the output, skip to Step 3. If the crusoe-system namespace does not exist or the chart is not listed, continue to Step 2.

ℹ️ Note: Clusters created after April 16, 2026, have this chart pre-installed; older clusters need a one-time install.

Step 2: Install the Support Roles Helm Chart

Add the Crusoe support roles repository and update:

helm repo add crusoe-support https://crusoecloud.github.io/crusoe-support-roles-helm-charts/charts
helm repo update

Step 3: Install the Chart Into the crusoe-system Namespace

helm install crusoe-support-roles crusoe-support/crusoe-support-roles --namespace crusoe-system --create-namespace

The chart provisions the cluster roles and role bindings Crusoe Support needs to operate. See the crusoe-support-roles-helm-charts repository for details.

Step 4: Enable Support Access Via the Crusoe CLI

Run the following, replacing <cluster-name> with your cluster:

crusoe kubernetes clusters support-access enable <cluster-name> --enabled-roles readonly,operator

Output:

successfully updated Kubernetes Cluster Support Access Settings
Support access is now enabled with roles: SUPPORT_ACCESS_ROLE_READONLY, SUPPORT_ACCESS_ROLE_OPERATOR.

Crusoe Support can now access your cluster with the specified roles until you disable this access.

Role options:

  • readonly — view-only access for diagnostics (default).
  • operator — adds permissions to execute diagnostic commands and assist with configuration.
  • readonly,operator — recommended for comprehensive support; operator automatically enables readonly.

Step 5: Verify Access Is Active

Confirm with:

crusoe kubernetes clusters support-access get <cluster-name>

Output:

Support Access Status: Enabled
Enabled Roles: SUPPORT_ACCESS_ROLE_READONLY, SUPPORT_ACCESS_ROLE_OPERATOR

Active Requests: 1
Request 1:
  Role: SUPPORT_ACCESS_ROLE_READONLY
  Requestor ID: 00XXXXX5d7
  Reason: Investigating on <node-name>
  Ticket: ZD####
  Requested At: 2026-06-03T13:46:29Z
  Request Expires At: 2026-06-03T17:46:29Z

The output shows Support Access Status: Enabled, the granted roles, and any active support sessions with Requestor ID, Reason, Requested At, and Request Expires At fields.

Step 6: (Only If You've Restricted Control-Plane Access) Allow Crusoe Support's VPN IP

  • By default, CMK clusters include a firewall rule (cmk-cp-api-access-cp-<abcd1234>) that allows inbound traffic to port 443 (the Kubernetes API server) on control-plane nodes from any source. If you've left this default, skip this step.
  • If you've tightened that rule to restrict source IPs (for example, to your corporate VPN range), you must also allow inbound traffic on port 443 from Crusoe Support's internal VPN exit node: 4.7.95.218.
  • Without this, support engineers complete the access enable but still cannot reach your cluster's API server, and you'll see no progress on the alert.

Step 7: When You're Done, Disable Support Access

Standard disable (prevents new sessions, allows current to complete):

crusoe kubernetes clusters support-access disable <cluster-name>

Output:

successfully updated Kubernetes Cluster Support Access Settings
Support access is now disabled.

Immediate revocation (terminates all active access — use when needed urgently):

helm uninstall crusoe-support-roles --namespace crusoe-system

Example

You receive an email from Crusoe Support: We've detected a CMK Node Not Ready alert on cluster training-prod. Please enable support access so we can investigate.

You run:

helm list --namespace crusoe-system

Output shows nothing in the crusoe-system namespace, so you install the chart, then enable access:

helm install crusoe-support-roles crusoe-support/crusoe-support-roles --namespace crusoe-system --create-namespace

crusoe kubernetes clusters support-access enable training-prod --enabled-roles readonly,operator

A Crusoe support engineer's session appears under Active Requests when you run crusoe kubernetes clusters support-access get training-prod, and they begin diagnosis. After the incident resolves, you disable access:

crusoe kubernetes clusters support-access disable training-prod

Common Issues and Resolutions

Issue: Support Team Cannot Reach the Kubernetes API Server After Access Is Enabled

Verify your firewall rules allow inbound from 4.7.95.218 on port 443. See Step 6.

Issue: Active Requests Still Listed After Helm Uninstall — Is Support Still Inside?

No, support access is fully revoked. The Active Requests field lists credentials that were issued but does not reflect whether they are still usable. Once you uninstall the chart, the RBAC bindings (ClusterRoleBindings / RoleBindings) those credentials need are gone, and any access attempt will be rejected with a Forbidden error. The Crusoe API cannot inspect your cluster's internal RBAC state, so it cannot automatically clear the listing. Verify revocation with:

kubectl get clusterrolebindings -l app.kubernetes.io/instance=crusoe-support-roles

If this returns nothing, the chart is uninstalled, and no support credential has permission to act on your cluster.

Issue: Session Still Visible Under Active Requests After Running Support-Access Disable

This is expected. The CLI disable command prevents new support credentials from being issued, but credentials already issued remain valid until their Request Expires At timestamp (typically about four hours from issue).

If the chart is still installed (access NOT yet revoked), you will see:

NAME                     ROLE                                 AGE
crusoe-support-operator  ClusterRole/crusoe-support-operator  5m
crusoe-support-readonly  ClusterRole/crusoe-support-readonly  5m

In this case, run helm uninstall crusoe-support-roles --namespace crusoe-system to complete the revocation, then re-run the verification command above.

Additional Resources

Related to

how-to cmk

Was this article helpful?

0 out of 0 found this helpful

Still need help?

Our support team is ready to assist you with any questions.

Have more questions? Submit a request
Return to top

Related Articles

Recently Viewed

Comments

0 comments

Article is closed for comments.