Back to Guides
Intermediate
50 minutes

Kubernetes Integration Guide

Integrate TigerAccess with your Kubernetes clusters. Provide certificate-based kubectl access with comprehensive audit logging and RBAC synchronization.

Overview

TigerAccess acts as a Kubernetes API proxy, providing:

  • Certificate-Based Access: No long-lived kubeconfigs
  • Full Audit Trail: All kubectl commands logged
  • Dynamic RBAC: Permissions based on TigerAccess roles
  • Multi-Cluster: Single interface for all clusters

Prerequisites

  • TigerAccess auth and proxy services running
  • Admin access to Kubernetes cluster(s)
  • kubectl installed locally
  • Network access from proxy to Kubernetes API server

Configure Kubernetes Proxy

Enable Kubernetes support in TigerAccess proxy:

# In /etc/tigeraccess/config.yaml
proxy:
  enabled: true
  kubernetes:
    enabled: true
    listen_addr: "0.0.0.0:3026"
    public_addr: "proxy.example.com:3026"
    # Optional: kubeconfig for cluster discovery
    kubeconfig_file: "/etc/tigeraccess/kubeconfig"

Register Kubernetes Clusters

Add Cluster

tac kube add prod-cluster \
  --kubeconfig=/path/to/kubeconfig \
  --labels=env=production,region=us-east-1

Configure Service Account

Create a service account for TigerAccess in your cluster:

# tigeraccess-sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tigeraccess
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tigeraccess
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: tigeraccess
  namespace: kube-system
kubectl apply -f tigeraccess-sa.yaml

User Access Configuration

Create Kubernetes Access Role

tac roles create k8s-developer --spec - <<EOF
kind: role
version: v7
metadata:
  name: k8s-developer
spec:
  allow:
    kubernetes_labels:
      env: ["development", "staging"]
    kubernetes_resources:
      - kind: pod
        namespace: "*"
        name: "*"
        verbs: ["get", "list", "watch"]
      - kind: deployment
        namespace: "app-*"
        name: "*"
        verbs: ["get", "list", "watch", "update", "patch"]
    kubernetes_groups:
      - "view"
      - "edit"
EOF

Production Access with MFA

tac roles create k8s-admin --spec - <<EOF
kind: role
version: v7
metadata:
  name: k8s-admin
spec:
  allow:
    kubernetes_labels:
      env: ["production"]
    kubernetes_groups:
      - "cluster-admin"
  options:
    require_session_mfa: true
    max_session_ttl: 2h
EOF

kubectl Setup

Login and Get Credentials

# Login to TigerAccess
tac login --proxy=proxy.example.com:3023 --user=alice

# Configure kubectl
tac kube login prod-cluster

# Or for all clusters
tac kube login --all

Use kubectl

# List pods in all namespaces
kubectl get pods --all-namespaces

# Create deployment
kubectl create deployment nginx --image=nginx

# View logs
kubectl logs -f deployment/nginx

Switch Between Clusters

# List available clusters
tac kube ls

# Switch to different cluster
tac kube login staging-cluster

# Or use kubectl context
kubectl config use-context staging-cluster

RBAC Synchronization

Enable Automatic RBAC Sync

TigerAccess can automatically create Kubernetes RBAC resources based on your TigerAccess roles:

# In config.yaml
proxy:
  kubernetes:
    rbac_sync:
      enabled: true
      # Sync interval
      sync_interval: 5m
      # Prefix for created resources
      resource_prefix: "tigeraccess-"

Manual Sync

# Manually trigger RBAC sync
tac kube sync-rbac prod-cluster

# Sync all clusters
tac kube sync-rbac --all

Advanced Features

Pod Exec Auditing

All kubectl exec sessions are recorded:

# Exec into pod (recorded session)
kubectl exec -it nginx-pod -- /bin/bash

# View exec session history
tac sessions ls --type=kube-exec

Namespace Restrictions

# Restrict access to specific namespaces
spec:
  allow:
    kubernetes_resources:
      - kind: "*"
        namespace: "team-backend"
        name: "*"
        verbs: ["*"]
  deny:
    kubernetes_resources:
      - kind: "*"
        namespace: "kube-system"
        name: "*"
        verbs: ["*"]

Cluster Discovery

# Auto-discover EKS clusters
tac discovery start eks \
  --type=eks \
  --regions=us-east-1,us-west-2 \
  --tags=managed-by=tigeraccess

# Auto-discover GKE clusters
tac discovery start gke \
  --type=gke \
  --project=my-project

Troubleshooting

Unable to Connect to Cluster

# Verify cluster registration
tac kube ls

# Test connectivity
tac kube test prod-cluster

# Check credentials
kubectl cluster-info

Permission Denied

# Check effective permissions
tac status

# View Kubernetes groups
kubectl auth can-i --list

Related Guides

Beginner

Quick Start Guide

Intermediate

SSH Access Setup Guide

Advanced

Custom RBAC Policies

Ready to Secure Your Infrastructure?

Join thousands of security-conscious teams using TigerAccess to protect their critical infrastructure and AI agents.

Start Free TrialContact Sales

No credit card required • 14-day free trial • Enterprise support available