Kubernetes

How It Works

sequenceDiagram
    participant User
    participant CLI as KMS CLI
    participant Hanzo KMS
    participant Gateway as KMS Gateway
    participant K8s as Kubernetes API Server

    User->>CLI: Request Kubernetes access
    CLI->>Hanzo KMS: Authenticate & request session
    Hanzo KMS-->>CLI: Session credentials & Gateway info
    CLI->>CLI: Start local proxy
    CLI->>Gateway: Establish secure tunnel
    User->>CLI: kubectl commands
    CLI->>Gateway: Proxy kubectl requests
    Gateway->>K8s: Forward with SA token
    K8s-->>Gateway: Response
    Gateway-->>CLI: Return response
    CLI-->>User: kubectl output

Key Concepts

Feedback
Gateway: An KMS Gateway deployed in your network that can reach the Kubernetes API server. The Gateway handles secure communication between users and your cluster.
Feedback
Service Account Token: A Kubernetes service account token that grants access to the cluster. This token is stored securely in Hanzo KMS and used by the Gateway to authenticate with the Kubernetes API.
Feedback
Local Proxy: The KMS CLI starts a local proxy on your machine that intercepts kubectl commands and routes them securely through the Gateway to your cluster.
Feedback
Session Tracking: All access sessions are logged, including when the session was created, who accessed the cluster, session duration, and when it ended.

Session Tracking

Feedback
When the session was created
Feedback
Who accessed which cluster
Feedback
Session duration
Feedback
All kubectl commands executed during the session
Feedback
When the session ended

Session Logs: After ending a session (by stopping the proxy), you can view detailed session logs in the Sessions page, including all commands executed during the session.

Prerequisites

Feedback
KMS Gateway - A Gateway deployed in your network with access to the Kubernetes API server
Feedback
Service Account - A Kubernetes service account with appropriate RBAC permissions
Feedback
KMS CLI - The KMS CLI installed on user machines

Gateway Required: Unlike AWS Console access, Kubernetes access requires an KMS Gateway to be deployed and registered with your Hanzo KMS instance. The Gateway must have network connectivity to your Kubernetes API server.

Create the PAM Resource

Before creating the resource, ensure you have an KMS Gateway running and registered with your Hanzo KMS instance. The Gateway must have network access to your Kubernetes API server.

1. Navigate to your PAM project and go to the Resources tab
2. Click Add Resource and select Kubernetes
3. Enter a name for the resource (e.g., production-k8s, staging-cluster)
4. Enter the Kubernetes API Server URL - the URL to your Kubernetes API endpoint (e.g.https://kubernetes.example.com:6443)
5. Select the Gateway that has access to this cluster
6. Configure SSL verification options if needed

SSL Verification: You may need to disable SSL verification if your Kubernetes API server uses a self-signed certificate or if the certificate's hostname doesn't match the URL you're using to access it.

Create a Service Account

Create a file named sa.yaml with the following content:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: kms-pam-sa
  namespace: kube-system
---
# Bind the ServiceAccount to the desired ClusterRole
# This example uses cluster-admin - adjust based on your needs
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kms-pam-binding
subjects:
  - kind: ServiceAccount
    name: kms-pam-sa
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-admin  # Change this to a more restrictive role as needed
  apiGroup: rbac.authorization.k8s.io
---
# Create a static, non-expiring token for the ServiceAccount
apiVersion: v1
kind: Secret
metadata:
  name: kms-pam-sa-token
  namespace: kube-system
  annotations:
    kubernetes.io/service-account.name: kms-pam-sa
type: kubernetes.io/service-account-token

Security Best Practice: The example above uses cluster-admin for simplicity. In production environments, you should create custom ClusterRoles or Roles with the minimum permissions required for each use case.

Apply the configuration to your cluster:

kubectl apply -f sa.yaml

This creates:

• A ServiceAccount named kms-pam-sa in the kube-system namespace
• A ClusterRoleBinding that grants the service account its permissions
• A Secret containing a static, non-expiring token for the service account

Get the service account token that you'll use when creating the PAM account:

kubectl -n kube-system get secret kms-pam-sa-token -o jsonpath='{.data.token}' | base64 -d

Copy this token - you'll need it in the next step.

Create PAM Accounts

Go to the Resources tab in your PAM project and open the Kubernetes resource you created.

Click Add Account.

Fill in the account details and paste the service account token you retrieved earlier.

Access Kubernetes Cluster

1. Navigate to the Resources tab in your PAM project and open the Kubernetes resource
2. In the resource’s accounts section, find the account you want to access
3. Click the Access button for that account
4. Copy the provided CLI command

Run the copied command in your terminal.

The CLI will:

1. Authenticate with Hanzo KMS
2. Establish a secure connection through the Gateway
3. Start a local proxy on your machine
4. Configure kubectl to use the proxy

Once the proxy is running, you can use kubectl commands as normal:

kubectl get pods
kubectl get namespaces
kubectl describe deployment my-app

All commands are routed securely through the KMS Gateway to your cluster.

When you're done, stop the proxy by pressing Ctrl+C in the terminal where it's running. This will:

• Close the secure tunnel
• End the session
• Log the session details to Hanzo KMS

You can view session logs in the Sessions page of your PAM project.