FeaturesMain SiteSign In / Try Now
Search…
Home
What Is BastionZero?
Server Access
Database Access
Kubernetes Access
Webserver Access
Product Security
Architecture
Taxonomy
Deployment
Getting Started
Installing the ZLI
Installing the Agent
Automation & Integrations
Third-Party Clients
Admin Guide
Authentication
Authorization
Auditing
Target and Connection Management
User Guide
Installing the ZLI
ZLI Cheat Sheet
Connecting To Your Targets
Troubleshooting Guide
ZLI Reference Manual
API Specification
Getting Help
Product Changes
Service Status
Github
Powered By GitBook
Kubernetes Access
Kubernetes support brings MrZAP technology, policy-based access control, and user visibility for Kubernetes directly into the BastionZero SaaS
BastionZero provides zero-trust remote access to your Kubernetes clusters without creating a single point of compromise. With BastionZero, you can also:
  • Put access to your Kubernetes APIs behind SSO and MFA.
  • Close all ports to your Kubernetes control plane and access your cluster without VPNs or bastion hosts.
  • Utilize our multi-root zero-trust security model to protect your infrastructure even if your SSO provider is compromised.
  • Use fine-grained access controls to map from SSO users and groups to Kubernetes users and groups, without requiring any IAM roles.
  • Take advantage of audit logging to capture kubectl commands, API calls, and any other action your engineers take using kubectl exec.
The BastionZero agent can be quickly and easily deployed to your Kubernetes cluster. It is designed to minimize the impact to your established workflows and is fully compatible with use with third party tools such as lens and k9s.
See the Kubernetes Deployment guide for instructions on securing your cluster with BastionZero.
After requesting a bzero.yaml file with all the Kubernetes objects needed, a short-lived activation token is also injected into the controller. This token can then be used by the agent to phone home back to BastionZero, eliminating the need to set up any complex DNS.
When connecting to our agent, we utilize a local daemon running on the clients machine (started by our command line interface zli) which will perform our MrZAP handshake and forward along traffic to our agent:
The traffic is then remotely executed on the agent via Kubernetes Impersonate API.
To secure a database or webserver through your cluster, see the deployment instructions for databases here and webservers here.
Previous
Database Access
Next
Webserver Access
Last modified 29d ago
Copy link