Kubernetes Access

Kubernetes support brings MrZAP technology, policy-based access control, and user visibility for Kubernetes directly into the BastionZero SaaS

BastionZero provides zero trust remote access to your Kubernetes clusters without creating a single point of compromise. With BastionZero, you can also:

  • Put access to your Kubernetes APIs behind SSO and MFA.

  • Close all ports to your Kubernetes control plane and access your cluster without VPNs or bastion hosts.

  • Utilize our multi-root zero trust security model to protect your infrastructure even if your SSO provider is compromised.

  • Use fine-grained access controls to map from SSO users and groups to Kubernetes users and groups, without requiring any IAM roles.

  • Take advantage of audit logging to capture kubectl commands, API calls, and any other action your engineers take using kubectl exec.

The BastionZero agent can be quickly and easily deployed to your Kubernetes cluster. It is designed to minimize the impact to your established workflows and is fully compatible with use with third party tools such as lens and k9s.

See the Kubernetes Deployment guide for instructions on securing your cluster with BastionZero.

After requesting a bzero.yaml file with all the Kubernetes objects needed, a short-lived activation token is also injected into the controller. This token can then be used by the agent to phone home back to BastionZero, eliminating the need to set up any complex DNS.

When connecting to our agent, we utilize a local daemon running on the clients machine (started by our command line interface zli) which will perform our MrZAP handshake and forward along traffic to our agent:

The traffic is then remotely executed on the agent via Kubernetes Impersonate API.

To secure a database or webserver through your cluster, see the deployment instructions for databases here and webservers here.

Last updated

Copyright © 2024