Secure Kubectl Access to Remote Clusters from Anywhere
Kubectl is an incredibly powerful tool to manage clusters. By default, kubectl doesn’t provide role-based access control (RBAC), and executed commands are not logged by user account. Further, kubectl can be cumbersome to access outside firewalls, and managing more than a handful of clusters becomes complex and error-prone. Zero-Trust Kubectl Access (ZTKA) solves these issues by centralizing and securing access to kubectl from anywhere and governing the use of kubectl by user account. With ZTKA, you can:
Centralize kubectl access to your entire fleet with automated RBAC
Stop rogue Kubernetes admins with user-level audit logs
Comply with internal policies & industry regulations
Make your CSO and DevSecOps teams happy
Consolidate Kubectl Access to Remote Clusters
Eliminate the burden of having to configure and manage RBAC cluster by cluster. Streamline and consolidate access control for kubectl access to your fleet of clusters spanning different operating environments, different clouds, and on-premises data centers operating behind firewalls. A single login gives authorized users (e.g., developers, operations, contractors, etc.) seamless and secure access to all clusters with a native and familiar kubectl experience. Comply with security policies with completely private datapaths. Reduce complexity and eliminate the risk of security breaches and loss in productivity.
Identity-driven Secure Access to Kubectl
Enables seamless access via single sign-on (SSO) and role-based access control (RBAC) to kubectl, providing a high level of security. Avoid the operational and user productivity issues with SSH, Bastion, or VPNs. Instantly revoke user access to the fleet of clusters. Automatically implement and enforce read-only access for non-privileged users, i.e., access limited to kubectl commands such as “get,” “describe,” “logs.” Provide temporary access to contractors, for example, with access terminating automatically after a specified time window. Harden user access by requiring strong authentication via MFA (TOTP, U2F, etc.) for kubectl access to clusters.
Audit Log of All Kubectl Actions
ZTKA records all kubectl commands by users so your company can view, search and trace a centralized audit log across all users and clusters. Easily search logs by cluster, namespace, and method. Prove compliance with internal policies, industry regulations, and audit processes.
Flexible Kubectl Access
ZTKA provides the convenience of multi-cluster access via an integrated, browser-based virtual terminal within the Rafay Managed Kubernetes Platform’s Console. Users can also download a consolidated kubeconfig file for use with kubectl CLI running on laptops.
Manage applications and clusters faster with autocompletion of kubectl commands.
Eliminate Dangling Service Accounts with Just-In-Time Accounts
Old and unused service accounts (SAs) can leave clusters vulnerable over time. WIth ZTKA, service accounts for authorized users are created just in time on remote clusters when accessed. SAs are automatically flushed from clusters after the user logs out, ensuring no dangling credentials on remote clusters.
Enable a Break Glass Process for Kubernetes Clusters
In the case of an emergency for mission-critical environments, easily implement a centralized and audited “break glass” process where all kubectl access to clusters can be disabled until a privileged administrator reapproves access.
Download the White Paper
Sample K8s Management POC Test Plan
Customize this POC plan for your K8s POC