Kubernetes Zero-Trust Access

Secure and Govern Access to your K8s Infrastructure

Rafay’s Zero-Trust Access Service enables controlled, audited access for developers, SREs and automation systems to your Kubernetes infrastructure, with just-in-time service account creation and user-level credentials management integrated with your enterprise’s RBAC/SSO solution.

Secure Kubectl Access & Authentication to Remote Clusters from Anywhere

By default, kubectl doesn’t provide Role Based Access Control (RBAC) and executed commands are not logged by user account. Further, kubectl can be cumbersome to access outside firewalls, and managing more than a handful of clusters becomes complex and error-prone. Rafay's Zero-Trust Access Service solves these issues by centralizing and securing access to kubectl from anywhere and governing the use of kubectl by user account. With this Service, you can:

Centralize kubectl access to your entire fleet with automated RBAC

Stop rogue Kubernetes admins with user-level audit logs

Comply with internal security policies & industry regulations

Make your Security and DevSecOps teams happy

Configure & Consolidate Kubectl Access to Remote Clusters

Eliminate the burden of having to configure and manage Kubernetes Role Based Access Control cluster by cluster. Streamline and consolidate access control for your fleet of clusters spanning different operating environments, different clouds (EKS, AKS, etc.), and on-premises data centers operating behind firewalls. A single login gives authorized users (e.g., developers, operations, contractors, etc.) seamless and secure access to all clusters with a native and familiar kubectl experience. Comply with security policies with completely private datapaths. Reduce complexity and eliminate the risk of security breaches and loss in productivity.

https://rafay.co/wp-content/uploads/2021/05/Zero-Trust-Kubectl-Access.png

Identity-driven Secure Access to Kubectl

Enables seamless access via single sign-on (SSO) and role-based access control (RBAC) to kubectl, providing a high level of security. Avoid the operational and user productivity issues with SSH, Bastion, VPNs, or namespace access control. Instantly revoke user access to the fleet of clusters. Automatically implement and enforce read-only access for non-privileged users, i.e., access limited to kubectl commands such as “get,” “describe,” “logs.” Provide contractors temporary access, for example, with access terminating automatically after a specified time window. Harden user access by requiring strong authentication via MFA (TOTP, U2F, etc.) for kubectl access to pods.

https://rafay.co/wp-content/uploads/2021/04/zero-trust-table.svg

Audit Log of All Kubectl Actions

The Zero-Trust Access Service records all kubectl commands by users so your company can provide true cluster and application safety. Easily search audit logs by cluster, namespace, user, and method. Prove kubernetes compliance with internal policies, industry regulations, and audit processes.

https://rafay.co/wp-content/uploads/2021/08/Zero-Trust-Audit.png

Flexible Kubectl Access Configurations

The Zero-Trust Access Service provides the convenience of multi-cluster access and authentication externally via an integrated, browser-based virtual terminal within the Rafay’s Web Console. Users can also download a consolidated kubeconfig file for use with kubectl CLI running on laptops.

https://rafay.co/wp-content/uploads/2021/04/zoom-in-screen.png
Download the White Paper
Sample K8s Operations POC Test Plan

Customize this plan for your K8s Operations POC

Leverage Kubectl Autocomplete

Manage applications and clusters faster with autocompletion of kubectl commands.

https://rafay.co/wp-content/uploads/2021/04/zkta_auto_complete.gif

Eliminate Dangling Service Accounts with Just-In-Time Accounts

Old and unused service accounts (SAs) can leave clusters vulnerable over time. With The Zero-Trust Access Service, service accounts for authorized users are created just in time on remote clusters when accessed. SAs are automatically flushed from clusters after the user logs out, ensuring no dangling credentials on remote clusters.

Enable a Break Glass Process for Kubernetes Clusters

In the case of an emergency for mission-critical environments, easily implement a centralized and audited “break glass” process where all kubectl access to clusters can be disabled until a privileged administrator reapproves access.