Documentation

Remote Access on K8s

Suggest Edits

Akeyless Remote Access provides secure remote access to resources using just-in-time credentials (dynamic secrets, rotated secrets, and SSH certificates).

Remote Access is enabled through the Akeyless Gateway Helm chart deployment. Usually this is added after the Gateway is deployed, but it can be deployed as part of the Gateway deployment. This document will show how to upgrade your deployment to add Remote Access capabilities.

The Remote Access deployment spins up two pods in your cluster: ssh-sra and web-sra

Prerequisites

  • An Akeyless Gateway

  • Helm Installed

  • K8s Cluster

  • SSH Certificate Issuer for CLI Access

  • Minimum 1 vCPU available with 2GB RAM per resource. This can be explicitly specified inside the chart. It can be found under sraConfig for the Web service and sshConfig for the SSH service. {I suggest to refer to the system requirements section)

  • Optional: If Horizontal Pod Autoscaler (HPA) usage is desired, you must set requests values in the resources section. For the HPA to function correctly, the Kubernetes metrics server must be installed in your cluster. You can find the metrics server setup guide here: Kubernetes metrics server .

Deploying Remote Access

The values.yaml file used to deploy the Gateway holds the Remote Access default values.

Configuration

Remote Access can only be used with the following Authentication Methods:

SAML

OIDC

Certificates

LDAP

To enable only specific users to use Remote Access, make sure to add the relevant authorizedAccessIDs in the Global section. A comma-separated list can be used for multiple IDs. While this is not mandatory, it is a good security practice to limit user access. If not configured, a Warning message will appear.

############
## Global ##
############

authorizedAccessIDs: p-

📘

Permissions

For Remote Access, these Authentication Methods only require list permissions on secrets. Upon successful authentication, the service will fetch the requested secret from Akeyless and will inject them directly for your users transparently.

Remote Access uses the same Authentication as the Gateway which is found in the akeylessGatewayAuth section of the chart. To start configuring Remote Access, find the sra section and set it to enabled: true.

######################################################
## Default values for akeyless-secure-remote-access ##
######################################################
sra:
  # Enable secure-remote-access. Valid values: true/false.
  enabled: true

Web Config

This section describes the web deployment. You can add annotations and labels as well as the number of replicas for the service.

  sraConfig:
    deployment:
      annotations: {}
      labels: {}
    replicaCount: 1

Storage

NOTE: Persistence is only relevant for the SRA-Web pod.

The purpose of the PersistentVolume is to ensure that data can be shared and accessed by all pods in the cluster. When RDP is configured to save recordings locally, the PersistentVolume is used to store these recordings. The Helm chart defines a persistent storage configuration using the ReadWriteMany access mode, which enables all pods to read from, and write to, the same storage volume. This is necessary to ensure that any changes or updates made by one pod are available to all other pods, maintaining consistency across the services.

persistence: 
  shareStorageVolume:
    name: share-storage
    storageClassName: "efs-sc"
    accessModes:
      - ReadWriteMany
    persistentVolumeReclaimPolicy: Retain
    annotations: {}
    mountOptions:
      - dir_mode=0650
      - file_mode=0650
    size: 2Gi

Here’s how it works:

Persistent Storage: A storage resource is allocated that can be accessed by multiple pods.

ReadWriteMany Access Mode: This allows multiple pods to both read from and write to the same storage volume at the same time, ensuring that data remains consistent across the cluster.

Environment-Specific Storage Class: The storage class, like AWS EFS (efs-sc), defines the backend storage type. You will need to choose or create a storage class suited to your cloud provider or infrastructure.

Persistent Volume Reclaim Policy: Setting this policy to Retain ensures that the data in the PersistentVolume remains intact even if the pods using it are deleted. This can be important for recovery or redeployments.

SSH Config

To provide just-in-time native CLI access for your users using SSH Certificates, set the CAPublicKey field with the matching public key of the key you used to create the SSH Certificate Issuer.

sshConfig:
    replicaCount: 1

    config:
      CAPublicKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAP.."
      # CAPublicKey: |

📘

Info

If you don't have an SSH certificate yet, please follow this guide on creating an SSH Cert issuer with Akeyless and set your CAPublicKey in the values file.

You will also need to enable Secure Remote Access on the SSH Cert Issuer either in the UI or by adding the --secure-access-enable true flag to your CLI command.

Install

helm install <RELEASE NAME> akeyless/akeyless-sra -f values.yaml

Verify that both ssh- and web- pods are up and running.

Upgrade Remote Access

To upgrade Remote Access to the latest version, run the following:

helm repo update  
helm upgrade <RELEASE NAME> akeyless/akeyless-sra -f values.yaml

Check that the new pods are starting.

Recommended Security Configuration Options

Allowed Redirect URL(s)

The Allowed Redirect URL(s) option ensures that only specific redirects (usually Remote Access are accepted. This configuration, allows administrators to define a list of authorized URLs that will be considered valid for redirection from the Web Portal back to the remote access server. This setup enhances security by ensuring that users are only redirected to trusted URLs.

Run the following command from the Terminal:

akeyless gateway update remote-access --allowed-urls <redirect-urls>

This can also be done via the console by going to Gateways -> Your-Gateway -> Manage Gateway -> Remote Access.

Updated about 1 hour ago