LogoLogo
Main SiteStart Now
  • Home
    • What Is BastionZero?
      • Server Access
      • Database Access
      • Kubernetes Access
      • Web Server Access
    • Product Security
    • Architecture
    • Taxonomy
  • Deployment
    • Getting Started
    • Installing the ZLI
    • Installing the Agent
    • Installing the Desktop App
  • Automation & Integrations
    • CircleCI
    • GitHub Actions
    • Go SDK
    • Google Cloud Run
    • Slack
      • Using the BastionZero app for Slack
    • Terraform
    • Third-Party Clients
  • Admin Guide
    • Authentication
      • SSO Management
      • User Management
      • MFA Management
      • Service Accounts Management
    • Authorization
    • Auditing
    • Target and Connection Management
  • How To Guides
    • Passwordless Database Access
      • Passwordless Access to MySQL and Postgres on GCP Cloud SQL
      • Passwordless Access to AWS RDS PostgreSQL
      • Passwordless Access to AWS RDS MySQL
      • Passwordless Access to Self-Hosted Postgres
    • How to use BastionZero to connect to a Linux Host using the ZLI
    • How to use BastionZero to manage SSH Keys
  • User Guide
    • Installing the ZLI
    • ZLI Cheat Sheet
    • Connecting to Your Targets
    • Troubleshooting Guide
  • ZLI Reference Manual
  • API Specification
  • Getting Help
  • Security Policy
  • Open Source Software Credits
    • Backend Services
    • Bzero Agent
    • Client Daemon
    • Desktop App
    • Go SDK
    • Helm Provider
    • Terraform Provider
    • Web App
    • ZLI
  • Product Changes
  • Service Status
  • GitHub
Powered by GitBook

Copyright © 2024

On this page
  1. Home
  2. What Is BastionZero?

Kubernetes Access

Kubernetes support brings MrZAP technology, policy-based access control, and user visibility for Kubernetes directly into the BastionZero SaaS

PreviousDatabase AccessNextWeb Server Access

Last updated 6 months ago

The BastionZero product is maintained for existing BastionZero customers only.

Moving forward, we are natively rebuilding BastionZero’s technology as Cloudflare’s service.

BastionZero provides zero trust remote access to your Kubernetes clusters without creating a single point of compromise. With BastionZero, you can also:

  • Put access to your Kubernetes APIs behind SSO and MFA.

  • Close all ports to your Kubernetes control plane and access your cluster without VPNs or bastion hosts.

  • Utilize our multi-root zero trust security model to protect your infrastructure even if your SSO provider is compromised.

  • Use fine-grained access controls to map from SSO users and groups to Kubernetes users and groups, without requiring any IAM roles.

  • Take advantage of audit logging to capture kubectl commands, API calls, and any other action your engineers take using kubectl exec.

The BastionZero agent can be quickly and easily deployed to your Kubernetes cluster. It is designed to minimize the impact to your established workflows and is fully compatible with use with third party tools such as lens and k9s.

See the guide for instructions on securing your cluster with BastionZero.

After requesting a bzero.yaml file with all the Kubernetes objects needed, a short-lived activation token is also injected into the controller. This token can then be used by the agent to phone home back to BastionZero, eliminating the need to set up any complex DNS.

When connecting to our agent, we utilize a local daemon running on the clients machine (started by our command line interface zli) which will perform our MrZAP handshake and forward along traffic to our agent:

The traffic is then remotely executed on the agent via Kubernetes Impersonate API.

To secure a database or webserver through your cluster, see the deployment instructions for databases and webservers .

Access for Infrastructure
Kubernetes Deployment
here
here