Kubernetes Cluster Access

Suggest Edit

You can enable secure remote access to a Kubernetes cluster based on the dynamic secret that generates ephemeral credentials for Kubernetes cluster. Users can then access Kubernetes cluster from the Secure Remote Access Portal, either over the web or using Kubernetes native CLI.

Prerequisite

The Secure Remote Access deployed.
A running Kubernetes dynamic Secret EKS , GKE or Kubernetes Generic .
Akeyless Connect
An SSH Certificate Issuer.

Set Up Remote Access to a Kubernetes cluster from the Akeyless CLI

Let's set up remote access to a Kubernetes cluster using the Akeyless CLI. If you’d prefer, see how to do this from the Akeyless Console instead.

Run the relevant command to define the following fields to the secret that specifies the Kubernetes cluster details and access credentials:

akeyless dynamic-secret update k8s \
--name <Kubernetes dynamic secret name> \
--secure-access-enable true \
--secure-access-certificate-issuer </Path/to/SSH/Cert/Issuer>  \
--secure-access-cluster-endpoint <Kubernetes cluster endpoint URL> \
--secure-access-allow-port-forwading <true/false>

where:

secure-access-certificate-issuer: Required to enable CLI access. The path to the SSH certificate issuer that should be used for certificate authentication..
secure-access-cluster-endpoint: The Kubernetes cluster endpoint URL.
secure-access-allow-port-forwading: Optional, allows running non-interactive kubectl commands, such as: exec / port-forward / etc. Also allows using the --watch flag (-w), for example.

For Kubernetes Generic Dynamic Secrets you can have secure remote access for your Kubernetes dashboard URL:

secure-access-dashboard-url: The Kubernetes dashboard URL available only for Generic Kubernetes.
secure-access-web-browsing: Optional, secure web browsing over isolated web browser available only for clients with Web Access Bastion.

Set Up Remote Access to a Kubernetes Cluster from the Akeyless Console

Let's set up remote access to a Kubernetes cluster from the Akeyless Console. If you'd prefer, see how to do this from the Akeyless CLI instead.

Log in to the Akeyless Console and go to Items.
Select the dynamic secret that specifies the Kubernetes cluster details and access credentials.
Click on the Secure Remote Access tab, select the pencil icon and enable Secure Remote Access, then fill in the following fields:

For GKE Dynamic Secrets or EKS Dynamic Secrets:

Cluster Endpoint URL: Required, your Kubernetes cluster URL.
certificate-issuer: Required to enable CLI access. The path to the SSH certificate issuer that should be used for certificate authentication.
Allow Port Forwarding: Optional, allows running non-interactive kubectl commands, such as: exec / port-forward / etc. Also allows using the --watch flag (-w), for example.

For Kubernetes Generic Dynamic Secrets:

Cluster Endpoint URL: Required, your Kubernetes cluster URL.

For Web Access:

Dashboard URL: Required to enable secure remote access to your Kubernetes dashboard.
Secure Web Browsing: Optional, secure web browsing over isolated web browser available only for clients with Web Access Bastion.

For CLI Access:

certificate-issuer: Required to enable CLI access. The path to the SSH certificate issuer that should be used for certificate authentication.
Allow Port Forwarding: Optional, allows running non-interactive kubectl commands, such as: exec / port-forward / etc. Also allows using the --watch flag (-w), for example.

From any terminal which has Akeyless Connect configured, you can run the following command:

akeyless connect -t <namespace>@<cluster endpoint without https:// > -n <dynamic-secret-name> -v <sra-bastion-ssh-service-address:port>

Updated 5 days ago