Skip to content

Part 2: Zero Trust Kubectl

What Will You Do

In this section you will

  • Remotely access this cluster using the integrated browser based Zero Trust Kubectl
  • View Kubectl audit logs

Step 1: Access Org

  • Login into the Org with your Org Admin credentials
  • In your project, navigate to Infrastructure -> Clusters

Step 2: Zero Trust Kubectl

  • Click on the Kubectl link on the OpenShift cluster

This will provide you with a web based, zero trust kubectl shell.

  • Type the following command
kubectl get ns

Web ZTKA

The controller injects a service account (sa) "Just In Time(JIT)" on the target cluster. The service account is automatically configured with the user's role in the Org. You can view the JIT service account by using the following command. In the example below, the service account for the user "tim-64rafay-46co" was created just "5 seconds" back as the user opened the web based kubectl console. The service account is automatically removed from the target cluster once the configured lifetime expires.

kubectl get sa -n rafay-system

NAME                      SECRETS   AGE
builder                   1         47m
default                   1         47m
deployer                  1         47m
ingress-controller-v1     1         41m
rs-45admin-64rafay-46co   1         46m
system-sa                 1         47m
tim-64rafay-46co          1         5s

Step 3: Audit Logs

All commands performed using the zero trust kubectl channel are centralized through the controller. As a result, a complete audit trail of "who did what and when" is maintained.

Administrators can view these audit logs.

  • Click on Home -> System -> Audit Logs
  • Click on the Kubectl tab

Audit logs can be viewed by "API" or "Commands" (for web based shell). See an example of the audit logs below.

ZTKA Audit Trail


Recap

Congratulations! In this section, you

  • Experienced how users can securely access clusters behind firewalls using zero trust kubectl
  • Viewed the centralized audit logs for all kubectl based commands performed by users on managed clusters