Zero Trust Kubectl¶
End users of the Kubernetes cluster (e.g. developers etc.) are recommended to use the secure Zero Trust Kubectl service. Users can both the "web based shell" or "download the kubeconfig" to access the cluster using the Kubectl CLI from their laptops.
Direct Kubectl Access¶
Organizations may have requirements to provide "privileged administrators" to have direct Kubectl access to the cluster "bypassing" the zero trust kubectl channel. The instructions below describe how this works and how it can be setup.
sequenceDiagram participant admin as Administrator box Upstream Kubernetes Cluster participant master as k8s Master Node participant api as k8s API Server end admin->>master: SSH to Master Node note right of master: Local Kubectl CLI and kubeconfig file master->>api: Kubectl Commands api->>master: Responses master->>admin: End SSH Session
Step 1: SSH to Master Node¶
- Identify the name or IP address of K8s master Node
- SSH to the node using ssh command. For example, for the name node demo-node and ssh username ubuntu, run the below command
For the users having key-value pair based authentication, specify the private key file using
-i option as shown in the below example
ssh -i <privatekey_filename> ubuntu@demo-node
Step 2: Execute Kubectl Commands¶
Now the user is logged in and can run the kubectl commands.
- Before running the kubectl commands, set the
KUBECONFIGenv variable pointing to the cluster's kubeconfig file.
- Now run the kubectl commands on this node. For example, to get list of pods, use the below command
kubectl get pods -A
Ensure you have required permissions to execute the commands. Users can use
sudo to run these commands as "root".