Secure Remote Access Bastion
The Akeyless Secure Remote Access Bastion provides Secure Remote Access to resources using Akeyless Just In Time credentials (dynamic secrets and SSH certificates).
This chart bootstraps an Akeyless Secure Remote Access Bastion deployment on a Kubernetes cluster using the Helm package manager.
Prerequisites
-
Helm Installed
-
K8s Installed
-
SSH Certificate- To enable CLI access.
Network
Currently, when using DB application (mysql, mongodb.mssql), it'll only work properly when using load balancer with "sticky" session:
-
Ingress - Make sure to use sticky session annotation, for example nginx.ingress.kubernetes.io/affinity: "cookie" in Nginx
-
Cloud Provider LB - Make sure to config the LB to support sticky session, for example is AWS, using ELB: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-sticky-sessions.html
When using SSH sessions behind load balancer such as ELB, the session can be closed due to idle connection timeout, so its advise to increase it to a reasonable high value, or even unlimited.
e.g when running on AWS with ELB: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html?icmpid=docs_elb_console
Storage
Currently, the helm chart requires a storage class with ReadWriteMany access modes.
Since a storage class is more environment specific, you will need to provide one before proceeding. In addition, please provide 2 PersistentVolumes with persistentVolumeReclaimPolicy: retain
and reference those PVs in the values.yaml file
e.g when running on AWS with EKS: https://docs.aws.amazon.com/eks/latest/userguide/efs-csi.html
Horizontal Auto-Scaling
Horizontal auto-scaling is based on the HorizontalPodAutoscaler object.
For it to work properly, Kubernetes metrics server must be installed in the cluster - https://github.com/kubernetes-sigs/metrics-server
Note:
To enable Secure Remote Access features you will have to get an access-key to Akeyless private repository. Please contact your Account Manager for more details.
Installing the Chart
Add Akeyless helm charts repository to your Helm repository list:
helm repo add akeyless https://akeylesslabs.github.io/helm-charts
helm repo update
The values.yaml file holds default values, copy the file from:
https://github.com/akeylesslabs/helm-charts/tree/main/charts/akeyless-secure-remote-access
Or run the following helm command to generate the values file:
helm show values akeyless/akeyless-sra > values.yaml
And replace the values with the ones from your environment where needed.
Info
If you don't have an SSH certificate ready, please follow this guide on how to create SSH Cert issuer with Akeyless vault and set your CA Public key in the values.yaml file.
The following parameters are mandatory:
Parameter | Default Value | Info |
---|---|---|
dockerRepositoryCreds | N\A | Required Credentials to access Akeyless internal image |
apiGatewayURL | Required A full URL of Akeyless Gateway. | |
privilegedAccess | N\A | Required Credentials for zero-trust access: if provided, it is possible for end users to have only "list" permissions on Akeyless item. |
allowedAccessIDs | [ ] | Limit access to privileged items only for these end user access ID. |
CAPublicKey | N\A | Required SSH Cert Issuer CA Public key |
Install the chart:
helm install <RELEASE NAME> akeyless/akeyless-sra -f values.yaml
Verify that both ssh-sra-akeyless and web-sra-akeyless pods are up and running.
Tip
Akeyless supports session termination, which can be configured as part of this chart deployment.
To enable session termination please set your Okta\KeycloakapiURL
andapiToken
undersessionTermination
section.
Updated 4 months ago