Kubernetes Targets

Suggest Edits

You can define K8s targets to be used with dynamic secrets for the following supported K8s types:

EKS

You can define an EKS target to be used with EKS dynamic secrets.

Create an EKS Target from the CLI

To create an EKS target from the CLI, run the following command:

akeyless create-eks-target \
--name <Target name> \
--eks-cluster-name <EKS cluster name> \
--eks-cluster-endpoint <EKS cluster endpoint> \
--eks-cluster-ca-cert <EKS cluster base64-encoded certificate>

Where:

  • name: A unique name of the target. The name can include the path to the virtual folder where you want to create the new target, using slash / separators. If the folder does not exist, it will be created together with the target.

  • eks-cluster-name: The EKS cluster name.

  • eks-cluster-endpoint: The EKS cluster endpoint.

  • eks-cluster-ca-cert: The EKS cluster base64-encoded certificate.

You can find the complete list of parameters for this command in the CLI Reference - Akeyless Targets section.

Create an EKS Target in the Akeyless Console

  1. Log in to the Akeyless Console, and go to Targets > New > Kubernetes Targets > EKS.

  2. Define a Name of the target, and specify the Location as a path to the virtual folder where you want to create the new target, using slash / separators. If the folder does not exist, it will be created together with the target.

  3. Choose your preferred authentication mode by selecting one of the options:

    • Check the Use Credentials radio button to authenticate with the EKS admin user credentials.

    • Check the Use Gateway's Cloud Identity radio button to authenticate with the Gateway's Cloud IAM.

📘

Note

For example, when you set up a Dynamic Secret, you must select the Target and the Gateway through which temporary users will be created on a target server.

The Use Gateway's Cloud Identity parameter of the Target instructs the Akeyless SaaS to use the IAM credentials of the selected Gateway for authentication with EKS.

  1. Define the remaining parameters as follows:

  • Access Key ID: If you selected the Use Credentials option in the previous step, specify the Access ID assigned to the admin user you created to authenticate Akeyless with the EKS cluster.

  • Secret Access Key: Specify the Access Key assigned to the admin user you created to authenticate Akeyless with the EKS cluster.

  • Region: Enter the EKS region that the temporary credentials are permitted to access.

  • EKS Cluster Name: The cluster name.

  • EKS Cluster URL Endpoint: The URL of the cluster.

  • EKS Cluster CA Certificate: A base64-encoded cluster CA certificate.

  • Protection key: To enable Zero-Knowledge, select a key with a Customer Fragment. For more information about Zero-Knowledge, see Implement Zero Knowledge.

  1. Click Save.

GKE

You can define a GKE target to be used with GKE dynamic secrets.

Create a GKE Target from the CLI

To create a GKE target from the CLI, run the following command:

akeyless create-eks-target \
--name <Target name> \
--gke-account-email <GKE service account email> \
--gke-cluster-endpoint <GKE cluster endpoint> \
--gke-cluster-ca-cert <GKE Base64-encoded cluster CA certificate> \
--gke-account-key <GKE service account key> \
--gke-cluster-name <GKE cluster name>

Where:

  • name: A unique name of the target. The name can include the path to the virtual folder where you want to create the new target, using slash / separators. If the folder does not exist, it will be created together with the target.

  • gke-cluster-name: The name of the GKE cluster you want to connect to.

  • gke-cluster-ca-cert : Base64-encoded GKE cluster CA certificate.

  • gke-cluster-endpoint: GKE Cluster endpoint URL.

  • gke-account-email: GKE service account email.

  • gke-account-key: GKE service account key.

You can find the complete list of parameters for this command in the CLI Reference - Akeyless Targets section.

Create a GKE Target in the Akeyless Console

  1. Log in to the Akeyless Console, and go to Targets > New > Kubernetes Targets > GKE.

  2. Define a Name of the target, and specify the Location as a path to the virtual folder where you want to create the new target, using slash / separators. If the folder does not exist, it will be created together with the target.

  3. Choose your preferred authentication mode by selecting one of the options:

    • Check the Use Credentials radio button to authenticate with the GKE admin user credentials.

    • Check the Use Gateway's Cloud Identity radio button to authenticate with the Gateway's Cloud IAM.

📘

Note

For example, when you set up a Dynamic Secret, you must select the Target and the Gateway through which temporary users will be created on a target server.

The Use Gateway's Cloud Identity parameter of the Target instructs the Akeyless SaaS to use the IAM credentials of the selected Gateway for authentication with GKE.

  1. Define the remaining parameters as follows:

  • GKE Service Account Email: If you selected the Use Credentials option in the previous step, specify the email of the service account ([email protected]).

  • GKE Service Account Key: Provide the RSA private key generated for this service account to access. This must be a proper PEM encoded PKCS1 or PKCS8 private key.

  • GKE Cluster CA Certificate: Provide a base64-encoded cluster CA certificate.

  • GKE Cluster URL Endpoint: Specify the URL of the cluster.

  • GKE Cluster Name: The GKE cluster name. If no value is configured, the default name will be used: gks-cluster-.

  • Protection key: To enable Zero-Knowledge, select a key with a Customer Fragment. For more information about Zero-Knowledge, see Implement Zero Knowledge.

  1. Click Save.

K8S Generic

You can define a generic Kubernetes target to be used with generic Kubernetes dynamic secrets.

Create a Generic Kubernetes Target from the CLI

To create a generic Kubernetes target from the CLI, run the following command:

akeyless create-k8s-target \
--name <Target name> \
--k8s-cluster-endpoint <K8S Cluster endpoint> \
--k8s-cluster-ca-cert <K8S Cluster certificate> \
--k8s-cluster-token <K8S Cluster authentication token>

Where:

  • name: A unique name of the target. The name can include the path to the virtual folder where you want to create the new target, using slash / separators. If the folder does not exist, it will be created together with the target.

  • k8s-cluster-endpoint: The DNS or IP address of the cluster, in the https:// format.

  • k8s-cluster-ca-cert: The Base-64 encoded cluster CA certificate.

  • k8s-cluster-token: A JWT authentication token authorized to create service account tokens.

You can find the complete list of parameters for this command in the CLI Reference - Akeyless Targets section.

Create a Generic Kubernetes Target in the Akeyless Console

  1. Log in to the Akeyless Console, and go to Targets > New > Kubernetes Targets > Generic.

  2. Define a Name of the target, and specify the Location as a path to the virtual folder where you want to create the new target, using slash / separators. If the folder does not exist, it will be created together with the target.

  3. Define the remaining parameters as follows:

  • Bearer Token: Provide a JWT authentication token authorized to create service account tokens.

  • Cluster CA Certificate: Provide a base64-encoded cluster CA certificate.

  • Cluster Endpoint URL: Specify the URL of the cluster.

  • Protection key: To enable Zero-Knowledge, select a key with a Customer Fragment. For more information about Zero-Knowledge, see Implement Zero Knowledge.

  1. Click Save.

Updated 7 months ago