# Kubernetes Access

{% hint style="danger" %}

### <mark style="color:red;">**The BastionZero product is maintained for existing BastionZero customers only.**</mark>&#x20;

Moving forward, we are natively rebuilding BastionZero’s technology as Cloudflare’s [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/applications/non-http/infrastructure-apps/) service.
{% endhint %}

BastionZero provides zero trust remote access to your Kubernetes clusters without creating a single point of compromise. With BastionZero, you can also:

* Put access to your Kubernetes APIs behind SSO and MFA.
* Close all ports to your Kubernetes control plane and access your cluster without VPNs or bastion hosts.
* Utilize our multi-root zero trust security model to protect your infrastructure even if your SSO provider is compromised.
* Use fine-grained access controls to map from SSO users and groups to Kubernetes users and groups, without requiring any IAM roles.
* Take advantage of audit logging to capture kubectl commands, API calls, and any other action your engineers take using kubectl exec.

The BastionZero agent can be quickly and easily deployed to your Kubernetes cluster. It is designed to minimize the impact to your established workflows and is fully compatible with use with third party tools such as lens and k9s.

{% hint style="info" %}
See the [Kubernetes Deployment](/docs/deployment/installing-the-agent.md#kubernetes) guide for instructions on securing your cluster with BastionZero.
{% endhint %}

After requesting a `bzero.yaml` file with all the Kubernetes objects needed, a short-lived activation token is also injected into the controller. This token can then be used by the agent to phone home back to BastionZero, eliminating the need to set up any complex DNS.

When connecting to our agent, we utilize a local daemon running on the clients machine (started by our command line interface `zli`) which will perform our MrZAP handshake and forward along traffic to our agent:

The traffic is then remotely executed on the agent via Kubernetes Impersonate API.

{% hint style="info" %}
To secure a database or webserver through your cluster, see the deployment instructions for databases [here](/docs/deployment/installing-the-agent.md#accessing-databases-through-a-kubernetes-cluster) and webservers [here](/docs/deployment/installing-the-agent.md#accessing-webservers-through-a-kubernetes-cluster).
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bastionzero.com/docs/home/readme/kubernetes-access.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.