Configuring a Kubernetes Cluster

The end user can access a cluster through the PAM Jump server. Depending on the RBAC policy defined on the cluster, the user can then access the resources with respective namespaces. Once taking access from SSH Direct proxy server and entering the credentials; the user can then select the configured K8 cluster by entering the name in the provided format.

You can configure a Kubernetes cluster as follows:

Adding a Kubernetes Cluster Asset in PAM:

1. Manage→ Asset Management → Add New Assets

2. Choose Asset category: Application, Asset type: Kubernetes, Asset version: (the preferred version).

3. Fill in the details for Host Name, Primary IP, Secondary IP, Description, Criticality Level, Owner, and Tags.

4. Select the appropriate policies.

5. Enter the configuration values for the four Config Value Fields. Here the following details would be required:

   1. Config Value 1: certificate-authority-data

   2. Config Value 2: Cluster-Name

   3. Config Value 3: Master Server URL

6. Tick the Active checkbox.

7. Click on Save.

The system supports a certificate or a token based authentication type for accessing the K8 cluster environment.

Configuring a Kubernetes Cluster Linked Account in PAM:

After creating a Kubernetes Cluster asset, you can now link accounts and specify access with the following steps:

1. Login as PAM admin user.

2. Navigate to the Manage → Select Asset Management to open assets inventory page.

3. Click on the Action arrow of an Kubernetes Cluster asset on which you desire to add the account and select the Manage Linked Account option.

4. You will be redirected on the accounts page of the selected asset host-name.

5. Click on + Add New Account button and fill in the credentials.

6. Click on the Save button and select the Save option → The account is now on-boarded in the system.

There are two new additional authentication types called Certificate and Secrets that have been added for accounts linked to a Kubernetes Cluster asset.

• The certificate-based authentication would include fields titled Certificate Data and Key Data which can be found under the Certificate authentication type.

• A token-based authentication would require token can be user specified in Secret 1 field of the Secret authentication type.

For defining context and namespace, either of which having the option of being one or more that one. The following format can be entered in the Config Value 2 field of the account configuration form.

• The Format to define context and namespace can be seen below:

  • Consider a single context name and a single namespace then such a configuration would be defined as contextname1{namespace1}. Example : If user_1 has the access of “dev-context” and namespace “dev” then the format will be dev-context{dev}

  • Consider a single context name and two namespaces then such a configuration would be defined as contextname2{namespace2, namespace3}. Example : If user_2 has the access of “dev-context” (only 1 namespace “dev”), and “preprod” context (multiple namespaces as “preprodN1, preprodN2”)  then the format will be dev-context{dev}, preprod{preprodN1~ preprodN2}

  • If user_3 has the full access i.e., all context and all namespaces then the format will be username@clusername{}

• Note: Multiple contexts can be separated by comma “,” and multiple namespaces can be separated using tilde “~” operator.

In order to enable access to a cluster, a new shell script file is generated and saved in the root directory of the management account. With every new session created the system would also generate a new shell script file in root directory of management account specified in Jump shell proxy configuration. A new dynamic account (with Enforced Password Change) is created and the shell script file from users root directory is deleted.