diff --git a/claude.sh b/claude.sh
index 14ba877..c9d3ff8 100644
--- a/claude.sh
+++ b/claude.sh
@@ -7,6 +7,9 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 COMPOSE_FILE="$SCRIPT_DIR/docker-compose.yml"
 PROJECT="claude-secure"
 
+# ─── Global flags ─────────────────────────────────────────────────────────────
+ALLOW_KUBE=0  # set by --kube before the subcommand
+
 # ─── Colours ──────────────────────────────────────────────────────────────────
 RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; NC='\033[0m'
 info()  { echo -e "${GREEN}[+]${NC} $*"; }
@@ -98,6 +101,19 @@ workspace_flag() {
     echo "--volume ${cwd}:/workspace:z"
 }
 
+# ─── Optional kubeconfig mount ────────────────────────────────────────────────
+# Enabled by passing --kube before the subcommand.
+# Mounts $HOME/.kube read-only at /home/node/.kube inside the container.
+kube_flag() {
+    [[ "$ALLOW_KUBE" -eq 0 ]] && return
+    local kube_dir="$HOME/.kube"
+    if [[ ! -d "$kube_dir" ]]; then
+        error "--kube specified but $kube_dir does not exist."
+        exit 1
+    fi
+    echo "--volume ${kube_dir}:/home/node/.kube:ro,z"
+}
+
 # ─── Compose wrapper ──────────────────────────────────────────────────────────
 dc() { docker compose -f "$COMPOSE_FILE" -p "$PROJECT" "$@"; }
 
@@ -114,7 +130,7 @@ cmd_start() {
     dc up -d proxy  # no-op if already healthy; compose waits via depends_on
     info "Launching Claude Code..."
     # shellcheck disable=SC2046
-    dc run --rm --service-ports $(workspace_flag) claude "$@"
+    dc run --rm --service-ports $(workspace_flag) $(kube_flag) claude "$@"
 }
 
 cmd_stop() {
@@ -131,7 +147,7 @@ cmd_run() {
     dc up -d proxy
     info "Launching Claude Code..."
     # shellcheck disable=SC2046
-    dc run --rm --service-ports $(workspace_flag) claude "$@"
+    dc run --rm --service-ports $(workspace_flag) $(kube_flag) claude "$@"
 }
 
 cmd_update() {
@@ -157,7 +173,7 @@ cmd_shell() {
     load_env
     warn "Opening debug shell inside Claude container (non-Claude entrypoint)."
     # shellcheck disable=SC2046
-    dc run --rm --service-ports --entrypoint /bin/bash $(workspace_flag) claude
+    dc run --rm --service-ports --entrypoint /bin/bash $(workspace_flag) $(kube_flag) claude
 }
 
 cmd_web() {
@@ -206,8 +222,12 @@ Environment variables (set in .env or shell):
   WEBUI_USER          Web interface username (default: claude).
   WEBUI_PASSWORD      Required for web mode. Basic auth password.
 
+Flags (before the subcommand):
+  --kube    Mount \$HOME/.kube read-only at /home/node/.kube (kubectl access)
+
 Examples:
   cd ~/myproject && ./claude.sh start
+  cd ~/myproject && ./claude.sh --kube start
   ./claude.sh web
   ./claude.sh logs proxy
   ./claude.sh logs webui
@@ -216,6 +236,14 @@ EOF
 }
 
 # ─── Dispatch ─────────────────────────────────────────────────────────────────
+# Parse global flags before the subcommand
+while [[ "${1:-}" == --* ]]; do
+    case "$1" in
+        --kube) ALLOW_KUBE=1; shift ;;
+        *) break ;;
+    esac
+done
+
 case "${1:-help}" in
     start)    shift; cmd_start    "$@" ;;
     stop)           cmd_stop          ;;