Kubernetes Access
Background
Kubernetes supports a variety of ways to perform authentication against the API Server. While there is tremendous flexibility in the core product, operators can encounter various practical challenges:
- Cloud providers typically support only their native IAM implementation, which may not integrate with your IdP
- OIDC providers may not provide group claims, requiring manual mappings to RBAC roles
- Your IdP may not be reachable by the kubernetes control plane
- Access is managed per cluster without central control
- Dynamic privilege escalation during incidents are slow or cumbersome RBAC changes
- VPN based protection may not be possible or desirable
Similarly, Kubernetes supports native audit logging capabilities, but can also run into practical challenges:
- Cloud provider deployments may be ecosystem locked with limited tooling, if any
- Cross-cluster and cross-service audit trails must be stitched together by the operator
Solution
Pomerium can be leveraged as a proxy for user requests to the API Server.
- Any supported IdP can be supported for authentication, in any environment
- Group membership is supported consistently
- Centralized, dynamic, course grained access policy
- Global, cross resource access and audit trail
- API server protection without the operational challenges of VPN
- Can be hosted inside your kubernetes cluster!
How it works
Building on top of a standard Kubernetes and Pomerium deployment:
- Pomerium is given access to a Kubernetes service account with impersonation permissions
- A policy route is created for the API server and configured to use the service account token
- Kubernetes RoleBindings operate against IdP Users and Group subjects
- Users access the protected cluster through their standard tools, using pomerium-cli as an auth provider in
~/.kube/config
- Pomerium authorizes requests and passes the user identity to the API server for fine grained RBAC
Kubeconfig Setup
After installing the pomerium-cli, you must configure your kubeconfig
for authentication.
Substitute mycluster.pomerium.io
with your own API Server's from
in Pomerium's policy:
# Add Cluster
kubectl config set-cluster via-pomerium --server=https://mycluster.pomerium.io
# Add Context
kubectl config set-context via-pomerium --user=via-pomerium --cluster=via-pomerium
# Add credentials command
kubectl config set-credentials via-pomerium --exec-command=pomerium-cli \
--exec-arg=k8s,exec-credential,https://mycluster.pomerium.io
More info
See the complete walkthrough for a working end-to-end example.