Skip to content

Turbo-charging kubectl: How Rafay’s Zero-Trust Access + Regional Proxies Deliver Lightning-Fast CLI Performance

When developers are halfway around the world from their clusters, every kubectl get pods can feel like it’s moving through molasses. Rafay’s Zero-Trust Kubectl (ZTKA) service fixes the security risks and the lag by adding a network of regional proxies between the user and the cluster.

Zero-Trust Kubectl in a Nutshell

Rafay ZTKA routes all CLI and web-terminal traffic through its Kube API Access Proxy. The key design goals are:

  1. Friction-free for users (“vanilla kubectl”),
  2. Zero infrastructure to manage for platform teams,
  3. Centralized RBAC + audit, and “great performance” even for clusters behind firewalls. 

Under the hood, users authenticate to Rafay; Rafay spins up just-in-time service accounts inside the target cluster and tears them down after idle timeouts, eliminating credential sprawl.

The Latency Problem

kubectl is a chatty protocol; even a simple command triggers dozens of round-trips to the Kubernetes API server. Consider a scenario where the Kubernetes cluster is deployed in a datacenter in Singapore. With ~250 ms RTT between Singapore and the Rafay SaaS controller (deployed in US-West), this can spell double-digit-second waits and a painful developer experience. 

Centralized Proxy

Enter Regional Proxies

Rafay operates regional proxy POPs worldwide. End user traffic is directed and terminated at the nearest POP, then forwarded to the target cluster. This helps slash the critical path latency seen by kubectl.

Regional Proxy

Let's evaluate with a real-world workflow:

  1. Developer in Singapore downloads a short-lived kubeconfig from Rafay.
  2. KubeCTL CLI opens a TLS session to the Singapore regional proxy (≈ 20 ms RTT).
  3. Once the JIT service account is created on the target cluster in Singapore, the Regioanal Proxy forwards traffic directly to the target cluster.
  4. Responses stream back to the user at interactive speeds; subsequent commands reuse the existing SA and are even faster.

Summary

Rafay’s Zero-Trust Kubectl already removed the VPN/bastion tax from Kubernetes administration. By front-loading the service with smart regional proxies, it also removes the latency tax—so your developers stay productive, wherever they (or their clusters) happen to be.

Important

This feature only applies to Customer Orgs on Rafay's SaaS platform. SaaS customers should contact their designated Rafay Customer Success contact to have this enabled.