Skip to content

Kubernetes Access

Zero Trust Kubectl

End users of the Kubernetes cluster (e.g. developers etc.) are recommended to use the secure Zero Trust Kubectl service. Users can both the "web based shell" or "download the kubeconfig" to access the cluster using the Kubectl CLI from their laptops.

Direct Kubectl Access

Organizations may have requirements to provide "privileged administrators" to have direct Kubectl access to the cluster "bypassing" the zero trust kubectl channel. The instructions below describe how this works and how it can be setup. 

sequenceDiagram
    participant admin as Administrator 
    box Upstream Kubernetes Cluster
    participant master as k8s Master Node
    participant api as k8s API Server
    end

    admin->>master: SSH to Master Node
    note right of master: Local Kubectl CLI and kubeconfig file
    master->>api: Kubectl Commands 
    api->>master: Responses
    master->>admin: End SSH Session

Step 1: SSH to Master Node

  • Identify the name or IP address of K8s master Node
  • SSH to the node using ssh command. For example, for the name node demo-node and ssh username ubuntu, run the below command
ssh ubuntu@demo-node

For the users having key-value pair based authentication, specify the private key file using -i option as shown in the below example

ssh -i <privatekey_filename> ubuntu@demo-node

Step 2: Execute Kubectl Commands

Now the user is logged in and can run the kubectl commands.

  • Before running the kubectl commands, set the KUBECONFIG env variable pointing to the cluster's kubeconfig file. 
export KUBECONFIG=./root/.kube/config
  • Now run the kubectl commands on this node. For example, to get list of pods, use the below command
kubectl get pods -A

Note

Ensure you have required permissions to execute the commands. Users can use sudo to run these commands as "root".