Are you opposed to allowing the user to specify kubeconfig creds? This is how credentials are distributed for every single cluster I've ever used. Most or all deployment tools output a kubeconfig, AKS/GKE both have `get-credentials` commands that output kubeconfig files, etc.

It looks like the interface might have to be extended, or another added that the kubernetes-plugin could then probe/utilize...

I think it would be a major UX win if the user could upload a kubeconfig file and be good to. Extracting the URL, CA cert, etc is just throwaway work. Maybe this is a result of how the kubernetes client works?

What I've typically seen is the usage of serviceaccounts and tokens, for security reasons you wouldn't use the full admin account in the plugin
That said I'm not opposed to add an option to use a kubeconfig, the code that checks credentials type is here
https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFactoryAdapter.java#L121

The kubernetes client can read the kubeconfig from file, that's what the Config.autoConfigure() do, if kubeconfig is present in the filesystem will use it.
See the code here https://github.com/fabric8io/kubernetes-client/blob/f9b8ea2f25e95a232678ebc0ab66d0ee52490e05/kubernetes-client/src/main/java/io/fabric8/kubernetes/client/Config.java#L372

A kubeconfig file doesn't mean or imply a root account. As an example, the kubeconfig I'm pulling apart and handing the plugin currently is for a rather limited user. GKE, Tectonic both issue non-root user accounts this way as well. AKS will when it gets to RBAC.

Anyway, thank you for the pointers! I'll take a look when I get a chance.

It's not root, but it is not a limited service account specifically tailored for jenkins as defined in https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/kubernetes/service-account.yml

PR at https://github.com/jenkinsci/kubernetes-plugin/pull/294