How do you connect to your production clusters? Do you keep your configuration files locally and directly connect using SSH or kubectl from your workstation, or do you prefer using a jumphost for enhanced security? I'm not considering GitOps for this discussion, just looking for general practices.
6 Answers
I usually VPN into our VPC and use OIDC for authentication with the clusters. It's a straightforward setup, and since OIDC is linked to RBAC roles, only a few of us have the ability to run kubectl commands on the clusters.
I access the internet with IP whitelisting, and I authenticate through the IAP Proxy of GCP, which even adds DDoS protection for extra security.
I use kubelogin with OpenID for auth. Honestly, I'm not super clear on how it all works, but when I invoke my kubeconfig locally, it opens a browser for login and then I’m in the cluster, pretty slick!
I've done both; connecting directly from my device or going through a bastion host. Most of the time, I utilize kubectl or Freelens, which also works with kubectl. The configurations are stored on the host I connect from.
Have you guys heard of Teleport? It's another tool that helps with secure access to clusters.
From my experience, most teams use a bastion or jumphost, especially when it comes to production clusters for security reasons. Some do keep kubectl and YAML files locally for dev or staging, but limiting direct access for prod is usually the way to go. I've been trying out runnable for spinning up ephemeral workflows for tasks—super useful to manage scripts without needing to touch the production machines directly.
Exactly! ZTNA is way better than relying on bastion hosts. They just add an extra layer of obscurity without real security.