Skip to main content

Kubernetes Access

Background

Kubernetes supports a variety of ways to perform authentication against the API Server. While there is tremendous flexibility in the core product, operators can encounter various practical challenges:

  • Cloud providers typically support only their native IAM implementation, which may not integrate with your IdP
  • OIDC providers may not provide group claims, requiring manual mappings to RBAC roles
  • Your IdP may not be reachable by the kubernetes control plane
  • Access is managed per cluster without central control
  • Dynamic privilege escalation during incidents are slow or cumbersome RBAC changes
  • VPN based protection may not be possible or desirable

Similarly, Kubernetes supports native audit logging capabilities, but can also run into practical challenges:

  • Cloud provider deployments may be ecosystem locked with limited tooling, if any
  • Cross-cluster and cross-service audit trails must be stitched together by the operator

Solution

Pomerium can be leveraged as a proxy for user requests to the API Server.

  • Any supported IdP can be supported for authentication, in any environment
  • Group membership is supported consistently
  • Centralized, dynamic, course grained access policy
  • Global, cross resource access and audit trail
  • API server protection without the operational challenges of VPN
  • Can be hosted inside your kubernetes cluster!

How it works

Kubernetes Integration

Building on top of a standard Kubernetes and Pomerium deployment:

  1. Pomerium is given access to a Kubernetes service account with impersonation permissions
  2. A policy route is created for the API server and configured to use the service account token
  3. Kubernetes RoleBindings operate against IdP Users and Group subjects
  4. Users access the protected cluster through their standard tools, using pomerium-cli as an auth provider in ~/.kube/config
  5. Pomerium authorizes requests and passes the user identity to the API server for fine grained RBAC

Kubeconfig Setup

After installing the pomerium-cli, you must configure your kubeconfig for authentication.

Substitute mycluster.pomerium.io with your own API Server's from in Pomerium's policy:

# Add Cluster
kubectl config set-cluster via-pomerium --server=https://mycluster.pomerium.io
# Add Context
kubectl config set-context via-pomerium --user=via-pomerium --cluster=via-pomerium
# Add credentials command
kubectl config set-credentials via-pomerium --exec-command=pomerium-cli \
--exec-arg=k8s,exec-credential,https://mycluster.pomerium.io

More info

See the complete walk-through for a working end-to-end example.