Introduction to Kubernetes Access
Connecting your cluster to BastionZero is very simple and consists of installing the BastionZero agent on your cluster and setting up your local client. With BastionZero you can:
  • Use Single-Sign-On (SSO) via your identity provider (IdP) to connect and authenticate with multiple clusters at a single time.
  • Always capture API endpoints that are being hit, with the ability to also capture kubectl English commands directly (if using our zli wrapper).
  • Utilizes MrZAP technology to provide zero-trust remote access without creating a single point of compromise.

Installing Our Agent Is Quick and Simple

For step-by-step instructions, see the Kubernetes Quick Start Guide for instructions on securing your cluster with BastionZero.
Diagram of the flow between BastionZero's agent, the provisioner, and the Kubernetes clusters
After requesting a bzero.yaml file with all the appropriate Kubernetes objects that are needed, a short-lived activation token is also injected into the controller. This token can then be used by the agent to phone home back to BastionZero, eliminating the need to set up any complex DNS.
When connecting to our agent, we utilize a local daemon running on the clients machine (started by our command line interface zli) which will perform our MrZAP handshake and forward along traffic to our agent:
A diagram of what happens when a user executes a kubectl command
The traffic is then remotely executed on the agent via Kubernetes Impersonate API.
Last modified 20d ago