K8s Cluster Access

You can enable secure remote access to a K8s cluster based on the dynamic secret that generates ephemeral credentials for K8s cluster. Users can then access K8s cluster from the Secure Remote Access Portal, either over the web or using K8s native CLI.

Prerequisite

Set Up Remote Access to a K8s cluster from the Akeyless CLI

Let's set up remote access to a K8s cluster using the Akeyless CLI. If you’d prefer, see how to do this from the Akeyless Console instead.

  1. Run the update-item command to define the following fields on the dynamic secret that specifies the K8s cluster details and access credentials:
akeyless update-item --name <K8s dynamic secret name> \
--secure-access-enable true \
--secure-access-bastion-issuer <Path to SSH Certificate Issuer> \
--secure-access-cluster-endpoint < K8s cluster endpoint URL> \
--secure-access-allow-port-forwading <true/false>

where:

  • secure-access-bastion-issuer: Required to enable CLI access. The path to the SSH certificate issuer that should be used for certificate authentication.
  • secure-access-cluster-endpoint: The K8s cluster endpoint URL.
  • secure-access-allow-port-forwading: Optional, allows running non-interactive kubectl commands, such as: exec / port-forward / etc. Also allows using the --watch flag (-w), for example.

For Kubernetes Generic Dynamic Secrets you can have secure remote access for your K8s dashboard URL:

  • secure-access-dashboard-url: The K8s dashboard URL available only for Generic K8s.
  • secure-access-web-browsing: Optional, secure web browsing over isolated web browser available only for clients with Web Access Bastion.

Set Up Remote Access to a K8s Cluster from the Akeyless Console

Let's set up remote access to a K8s cluster from the Akeyless Console. If you'd prefer, see how to do this from the Akeyless CLI instead.

  1. Log in to the Akeyless Console and go to Items.

  2. Select the dynamic secret that specifies the K8s cluster details and access credentials.

  3. Click on the Secure Remote Access tab, select the pencil icon and enable the Secure Remote Access, then fill in the following fields:

For GKE Dynamic Secrets or EKS Dynamic Secrets:

  • Cluster Endpoint URL: Required, your K8s cluster URL.
  • bastion-issuer: Required to enable CLI access. The path to the SSH certificate issuer that should be used for certificate authentication.
  • Allow Port Forwarding: Optional, allows running non-interactive kubectl commands, such as: exec / port-forward / etc. Also allows using the --watch flag (-w), for example.

For Kubernetes Generic Dynamic Secrets:

  • Cluster Endpoint URL: Required, your K8s cluster URL.

For Web Access:

  • Dashboard URL: Required to enable secure remote access to your K8s dashboard.

  • Secure Web Browsing: Optional, secure web browsing over isolated web browser available only for clients with Web Access Bastion.

For CLI Access:

  • bastion-issuer: Required to enable CLI access. The path to the SSH certificate issuer that should be used for certificate authentication.

  • Allow Port Forwarding: Optional, allows running non-interactive kubectl commands, such as: exec / port-forward / etc. Also allows using the --watch flag (-w), for example.

From any terminal which has Akeyless Connect configured, you can run the following command:

akeyless connect -t <namespace>@<cluster endpoint without https:// > -n <dynamic-secret-name> -v <sra-bastion-ssh-service-address:port>