Skip to main content
Version: v42

Accessing Kubernetes APIs Via PrivX

This page describes how PrivX API proxy is used for controlling access to kubernetes cluster APIs with native clients like kubectl and helm.

Prerequisites

  • Kubernetes cluster administrator has set up proper roles and permissions in the kubernetes cluster, and provided the cluster address, any trust-anchor certificates and the static bearer token to the PrivX administrator.
  • PrivX API Proxy can connect to the kubernetes cluster either directly or via a PrivX extender.

Adding the Kubernetes API Target

  1. If you haven't already, create the necessary PrivX role(s) for accessing the cluster.

  2. On Administration→API Targets, create an API target with the following information:

  • Name: A unique name for the API target.
  • Roles: PrivX roles to be given access to the kubernetes API.
  • Bearer Token: The bearer token used for authenticating to the kubernetes cluster API.
  • TLS Trust Anchors: Needed if your kubernetes cluster API TLS certificate cannot be validated using system trust anchors.
  • To allow HTTPS access to all API endpoints with any method, add an authorized endpoint like the following:
    • Host: Address and port of the kubernetes cluster's API.
    • NAT Target Host: If the kubernetes cluster is accessed via an Extender, set this to the Extender prefix.
    • Protocols: HTTPS
    • Methods: All (*)
    • Paths: **
info

The previous API-target configuration allows any PrivX end user with a required role to access the kubernetes cluster with all roles and permissions associated with the kubernetes cluster API bearer token. We recommended configuring the kubernetes cluster roles and permissions following the principle of least privilege, to enforce access rights in the kubernetes cluster.

Connecting to the kubernetes API via PrivX

API access via PrivX requires API connections to be authenticated and proxied via PrivX API Proxy. This means users need to:

  1. Create API Proxy Credentials for authenticating against the PrivX API Proxy.
  2. Configure their native client to proxy connections via the PrivX API Proxy.

You will need to specify the following for the API Proxy credentials:

  • Name: A unique name for the credentials.
  • API Target: The API target this API Proxy credential grants access to. In this example, select the kubernetes API target created earlier.

For more details about creating API Proxy credentials, see Creating API Proxy Credentials

To obtain API-target information, click Connections→API Targets and select the kubernetes API target. Use the provided information to configure your kubeconfig file:

  • certificate-authority-data kubeconfig variable specifies the TLS trust anchor certificate as a base64 encoded PEM certificate. End user must copy the PrivX API Proxy CA certificate (PEM) data from the API-target information, base64 encode it and copy the result in to this variable.

  • proxy-url kubeconfig variable specifies the proxy address for kubernetes client tools. Copy the address from the HTTP Proxy Public Addresses in API-target information and copy it to this variable.

  • server kubeconfig variable specifies the kubernetes cluster address and optional port. Copy the API target's Authorized Endpoints to this variable.

  • user.token kubeconfig variable specifies the static bearer token used for authenticating. Copy the API proxy credential Bearer Token to this variable.

    If the API-target information states No API Proxy Credentials are available for this API target, ensure the user has API Proxy Credentials as per earlier instructions.

The resulting kubeconfig file should look similar to the following:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <base64_encoded_ca_certificate>
    proxy-url: http://privx.example.com:20080
    server: https://kubernetes-prod.privx.example.com:16443
  name: kubernetes-prod-cluster
contexts:
- context:
    cluster: kubernetes-prod-cluster
    user: kubernetes-prod
  name: kubernetes-prod
current-context: kubernetes-prod
kind: Config
preferences: {}
users:
- name: kubernetes-prod
  user:
    token: <api_proxy_credentials_bearer_token>

Running kubectl And helm

End user can use kubernetes client applications - like kubectl and helm - as usual. The REST API requests are passed trough PrivX API Proxy for access control and monitoring purposes. End user cannot access the kubernetes cluster API directly since the end user does not have the credentials needed for directly authenticating to the kubernetes cluster API.

PrivX administrators can monitor and terminate end user's API sessions under Monitor→Connections.