Access Guide

Kubernetes Access

Secure Kubernetes access with fine-grained RBAC, session recording, and native kubectl support. No more sharing kubeconfig files.

Estimated time: 15 minutes

Key Features

Fine-Grained RBAC

Control access by cluster, namespace, and resource type

Short-Lived Creds

No static kubeconfig files to manage

Command Auditing

Log all kubectl commands and exec sessions

Native kubectl

Works with standard kubectl client

Setup Steps

Register a Kubernetes Cluster

Add your Kubernetes cluster to TigerAccess.

tacctl create -f - <<EOF
kind: kube_cluster
metadata:
  name: prod-cluster
  labels:
    env: production
    region: us-east-1
spec:
  kubeconfig: /etc/tigeraccess/kubeconfig
EOF

Configure Kubernetes Role

Define who can access which clusters and namespaces.

tacctl create -f - <<EOF
kind: role
metadata:
  name: k8s-developer
spec:
  allow:
    kubernetes_labels:
      env: [dev, staging]
    kubernetes_groups: [developers]
    kubernetes_users: ["{{internal.kubernetes_users}}"]

  # Restrict to specific namespaces
  kubernetes_resources:
    - kind: pod
      namespaces: ["default", "app-*"]
      verbs: ["get", "list", "watch", "exec"]
    - kind: service
      namespaces: ["*"]
      verbs: ["get", "list"]
EOF

Enable Session Recording

Record kubectl exec sessions for audit.

tacctl create -f - <<EOF
kind: role
metadata:
  name: audited-k8s
spec:
  options:
    record_session:
      default: best_effort
      kubernetes: strict

    # Audit kubectl commands
    audit_kubernetes_commands: true
EOF

Access Kubernetes

Use kubectl through TigerAccess.

# Login
tac login --proxy=access.company.com

# List available clusters
tac kube ls

# Run kubectl commands
tac kube get pods -n production
tac kube exec -it pod-name -- /bin/bash
tac kube logs deployment/app

# Generate kubeconfig for native kubectl
tac kube config > ~/.kube/tigeraccess.conf
export KUBECONFIG=~/.kube/tigeraccess.conf
kubectl get pods

CLI Commands

Command	Description
`tac kube ls`	List available clusters
`tac kube get pods`	Run kubectl get pods
`tac kube exec -it pod -- sh`	Exec into a pod
`tac kube logs deploy/app`	View deployment logs
`tac kube port-forward svc/app 8080:80`	Port forwarding
`tac kube config`	Generate kubeconfig

Kubernetes Access Configured

With Kubernetes access configured, you have:

Secure access to all your clusters
Fine-grained RBAC by namespace and resource
Complete audit trail for kubectl commands
Works with native kubectl client

Related Guides

Zero Trust Security

Zero trust for Kubernetes

Session Recording

Record exec sessions

Just-in-Time Access

Temporary cluster access