Web Access on K8s
Akeyless Web Access Bastion provides Secure Remote Access to any web application with session recording, including proxy service acting as an entry point to your internal web applications, where only after successful authentication users will get access, either via an isolated remote browser or directly to your target server based on your secret configuration.
Working with isolated browsers provides a complete zero-knowledge where users do not have any knowledge about the access credentials.
This chart bootstraps the Akeyless-Web-Access-Bastion deployment on a Kubernetes cluster using the Helm package manager.
Prerequisites
-
Helm Installed
-
K8s Installed
-
Minimum 1 vCPU available with 2GB RAM for the
WebWorker
and 1 vCPU available with 1GB RAM for theWebDispatcher
This can be explicitly specified inside the chart for thewebWorker
and for thedispatcher
services.
**Network**
When using an Embedded browser session behind a load balancer such as ELB, the session can be closed due to an idle connection timeout, it's advised to increase it to a reasonably high value or even unlimited.
e.g, when running on AWS with ELB: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html?icmpid=docs_elb_console
**Storage**
To be able to download files to your local machine, the chart requires a storage class with ReadWriteMany
access mode.
Since a storage class is more environment specific, you will need to provide one before proceeding. In addition, please provide a PersistentVolumes
with reference under the persistence
section in the values.yaml
file.
persistence:
shareStorageVolume:
name: share-storage
storageClassName: "efs-sc"
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
annotations: {}
mountOptions:
- dir_mode=0650
- file_mode=0650
size: 2Gi
e.g, when running on AWS with EKS: https://docs.aws.amazon.com/eks/latest/userguide/efs-csi.html
For security reasons, please limit the PersistentVolumesmount permissions to
0650`.
**Horizontal Auto-Scaling**
Horizontal auto-scaling is based on the HorizontalPodAutoscaler object.
For it to work correctly, the Kubernetes metrics server must be installed in the cluster - https://github.com/kubernetes-sigs/metrics-server.
Warning
To enable Secure Remote Access features you will have to get an access-key to Akeyless private repository. Please contact your Account Manager for more details.
Installing the Chart
Add Akeyless helm charts repository to your Helm repository list:
helm repo add akeyless https://akeylesslabs.github.io/helm-charts
helm repo update
The values.yaml file holds default values. Copy the file from:
https://github.com/akeylesslabs/helm-charts/tree/main/charts/akeyless-zero-trust-web-access
Or run the following helm command to generate the values file locally:
helm show values akeyless/akeyless-zero-trust-web-access > values.yaml
Configuration
To connect to Akeyless private repository, set the dockerRepositoryCreds
field to access the Akeyless internal image and the relevant apiGatewayURL
to point your Gateway REST API port 8080
dockerRepositoryCreds:
apiGatewayURL: https://rest.akeyless.io
# Optional, to Work with a specifc enviorement set the relevant URL.
env:
- name: AKEYLESS_URL
value: "https://vault.akeyless.io"
To enable HTTP Proxy mode for remote access, add the following environment variable to the env
section under the dispatcher configuration:
env:
- name: WEB_PROXY_TYPE
value: http
Warning
The HTTP-type proxy will only work with Chrome browsers currently. For Firefox, you can skip this environment variable configuration so the default
socks-proxy
protocol will be used.
The Web Access Bastion should be set with a privileged AccessID
with Read and list permissions. To fetch the relevant secret on behalf of your users, set the privilegedAccess
field with the relevant AccessID
as described in the Authentication section of this page.
Users then can have only list
permissions on their secrets. Upon successful authentication against your IDP, the bastion will fetch the requested secret from Akeyless and will inject them directly for your users transparently.
To control who will be the relevant users that will be allowed to request access from the Akeyless Bastion, set the allowedAccessIDs
field with a list of AccessIDs
that will be authorized to request access.
privilegedAccess:
accessID: ""
allowedAccessIDs: []
Authentication
The following Authentication Methods are supported:
API Key Authentication
To set your Bastion default authentication based on API Key, set the accessID
and the matching accessKey
with a list of allowedAccessIDs
that will be authorized to request access:
privilegedAccess:
accessID: "<API Key Access ID>"
accessKey: "<Access Key>"
allowedAccessIDs:
- p-xxxxxxx
CSP IAM Authentication
While running your K8s cluster inside your cloud environment, you can use AWS IAM, or Azure Active Directory, using machine-to-machine authentication between Akeyless and your Cloud Service Provider with a list of allowed AccessIDs
that will be authorized to request access.
AWS IAM
AWS IAM can be used in the following approach:
- Instance IAM Role
While working with an IAM Role associated with the instance himself, you can simply provide your AWS IAM Access ID
as your accessID
, with a list of allowedAccessIDs
that will be authorized to request access:
privilegedAccess:
accessID: "<AWS IAM Access ID>"
allowedAccessIDs:
- p-xxxxxxx
Azure Active Directory
Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. Akeyless treats Azure as a trusted third party and verifies entities based on a JWT signed by the Azure Active Directory for the configured tenant.
Set your Azure Active Directory Access ID
as your accessID
with a list of allowedAccessIDs
that will be authorized to request access:
privilegedAccess:
accessID: "Azure AD Access ID"
allowedAccessIDs:
- p-xxxxxxx
Install
helm install <RELEASE NAME> akeyless/akeyless-zero-trust-web-access -f values.yaml
Verify that both pods are up and running:
web-worker-deployment
web-dispatcher-deployment
Updated 13 days ago