The Controller provides a number of built in capabilities to assist developers and operators to debug and diagnose issues with deployed workloads. In addition to aggregating "container logs", developers/operators may also require the ability to "securely" interact in real time with their containers on remote clusters.
Zero Trust Approach¶
In production, access to the Kubernetes cluster's control plane is typically
Highly Controlled Enabled ONLY for privileged administrators type personnel.
Locked Down Privileged users required to use SSH to interact with the control plane. In addition, organizations will also use a Bastion or VPN.
Cumbersome Managing credentials (roles, role bindings) and the burden to maintain an audit trail.
For multi cluster deployments, this gets extremely "Expensive" (for the associated access infrastructure) and "Cumbersome and Laborious" for the user (extreme latency and credential lifecycle management). To address these issues, the controller provides a "Zero Trust" debug and diagnostics channel from the "Controller" to the "Managed Clusters" enabling the following capabilities:
- No Inbound Access needed to Kubernetes Cluster Control Plane
- No need to make any firewall changes
- No need to manage 10s or 100s of kubeconfig files
- No need to manage roles and role bindings for users on every cluster
- No need to remember all low level kubectl commands and be an expert on low level aspects of Kubernetes