Skip to content

KOP Upstream Clusters - Zero Trust Host Access

The salt channels allow users to perform changes required on the Infrastructure layer. This helps to send customized commands to their instances. Only Org Admins are allowed to make the request. Swagger Rest API is supported to perform operations on Salt Exec

Salt Exec Core Model

  • The Org Admin calls the API with target nodes and commands
  • The Salt-exec authenticates and authorizes the call. The authorization process checks the following:
  • If all the nodes belong to the projects
  • If the user is authorized to access the project
  • The user receives the salt-exec ID
  • Use another API along with this ID is to get the status and standard output response from the commands sent
  • Use an API for an audit trail that contains the information - { command ran, user, target nodes, project, source IP address, timestamps }
  • The request, salt-exec ID, and responses are stored in the Database

Salt Exec Architecture

API commands

Step 1: Post


Example of Post request:

      "target" : "" (If node, specify the hostname and if cluster this will be nil)
      "target_type" : "<node/cluster>""
      command: ""
      "content_type": "<string/base64>" (string is default)
      "timeout": 60 (default)
  • Target is either array of nodes or a single cluster
  • Any large script can be executed in a single command (base64 or otherwise)
  • Users should not retry when the nodes are unreachable; thus call the API again
  • Users cannot send commands to unapproved nodes. Only Approved and Provisioned nodes respond to commands
  • TRIMMED_VALUE is shown if the return standard output from the node is large

Example of Post Request Output

    Id: hashvalue

Step 2: Get Response

Enter the below command to fetch the required information.


Provide the ID retrieved from the post request output

Get Response Output

    NodeResponses: [
        "Name" :
        "Resp" : {
    Responded: [
    Unreachable: [
    Unapproved: [
    Pending: [


### Step 3: Get History


The query limit and offset control the history data count. The default limit is 10 responses, and the offset is 0 if no input is passed

Check Connectivity

Use the below script to check the connectivity

ping -c 1
if [ $? == 0 ]; then
    echo 'Connection working'
    echo 'Error in connection to URL'

Use Base64 to encode the above script. Base64 encoding scheme is to encode binary data that needs be stored and transferred over media, designed to deal with textual data. This ensures the data remains intact without modification during transport.

Connectivity script encoded in Base64 format: