• Overview
  • Banyan Kubernetes Authentication
• Steps
  • 1. Create a Role for your End Users
  • 2. Create a Policy for your Kubernetes Cluster
  • 3. Define a TCP Service for the Kubernetes Cluster
  • 4. Connect via the Banyan desktop app

Overview

In most environments, the K8S API is not exposed to the public internet. In such cases, you can use Banyan’s default Mutually Authenticated TLS (MTLS) flows for TCP services to provide your end users VPN-free Zero Trust access regardless of their network location. K8S API traffic flows through the Banyan Access Tier and is wrapped in a MTLS tunnel (shown in the diagram below).

We define the K8S API as a TCP Service (and not a Web Service) even though it uses the HTTP protocol because the K8S API is accessed via a CLI tool kubectl and not a web browser.

Banyan Kubernetes Authentication

Banyan’s default approach is to treat K8S like any other TCP service and be agnostic to the underlying K8S authentication method. You can retain your current K8S authentication mechanism - be it password, client cert, JWT tokens, etc. We strongly recommend using the Banyan OIDC provider which will allow access to your Kubernetes clusters using native K8S RBAC. Review our K8S OIDC Authentication capability to learn more.

Steps

Setting up VPN-free access to an K8S Cluster via the K8S API is the setup process followed to secure a TCP service, as described in Notes on Securing TCP Services.

In this article, we will create a Banyan Role (for employees with personal devices) and a Banyan Policy so only users on devices that meet the policy can gain to secure access to the Kubernetes API, using the following steps:

1. In the Banyan Command Center, create a Role
2. In the Banyan Command Center, create a Policy
3. In the Banyan Command Center, define a TCP Service
4. On the end user device, click “Connect” in the Banyan Desktop App

1. Create a Role for your End Users

In the Banyan Command Center, navigate to Secure Access > Roles and then click + Add Role. Create a User Role and select Role Attributes so that the role only applies to specific sets of users and devices.

2. Create a Policy for your Kubernetes Cluster

Now, create an access policy that uses the created role.

Navigate to Secure Access > Policies and then select Create Policy. Select the option TCP Policy.

3. Define a TCP Service for the Kubernetes Cluster

We strongly recommend using the Banyan OIDC provider which will allow access to your Kubernetes clusters using native K8S RBAC. If you are configuring OIDC authentication, select Kubernetes and review our K8S OIDC Authentication capability.

Configure a Hosted Service for zero-trust access to your Kubernetes Cluster:

3.1 Navigate from Manage Services > Infrastructure and then select + Register Service. Configure the service as shown below:

3.2 Under Service Details, enter a Service Name. Optionally, enter a Description and a Link.

3.3 Select a Cluster.

3.4 Optional Display the Service in the Banyan app by toggling on Show Service in Service Catalog within the Banyan App.

3.5 Optional: Enable Autorun if you want this Infrastructure Service to automatically start when users in your org log into the Banyan app.

Note: Autorun settings are only evaluated during device registration. End users can manually adjust Autorun settings from their desktop app after registration, and these changes will not be reflected in the Command Center UI.

3.6 Under Service Attributes, select an Access Tier.

3.7 Select a Service Domain Name for this service (e.g.,mykube.corp.example.com ); the banyanproxy will tunnel Kubernetes traffic over the assigned listen port.

3.8 Enter a Backend DNS Override for your Service Domain Name.

3.9 Under Service Connection Settings, set an Assigned Listen Port (e.g., 8081). Choose whether your end users can override these settings.

3.10 Under Kubernetes Settings, enter a Cluster Name and a Kube-OIDC-Proxy CA Public Key.

3.11 Optional: Attach the policy you created in Step 2, and then choose an Enforcement Mode (i.e., Permissive or Enforcing).

4. Connect via the Banyan desktop app

Ensure your end users install the latest Banyan desktop app and register their device.

Once the Service is defined, your end users will see it in their Banyan desktop app.

When the user selects Connect (only required if Autorun has not been enabled), the desktop app will launch the banyanproxy in HTTP_CONNECT_DAISY_CHAIN Mode, on the specified port.

Now, they can set the https_proxy environment variable before you call kubectl to automatically tunnel the session over the Mutual-Auth TLS channel set up by Banyan.

https_proxy=http://localhost:8081 kubectl get pods

If your end user is using kubectl v1.19+, they can add a proxy-url field directly to their ~/.kube/config file instead of specifying the https_proxy env var.

Verify that your output lists your running pods correctly.

NAME                    READY   STATUS    RESTARTS   AGE
podreader-default-pod   1/1     Running   0          35h

Can’t find what you’re looking for?

We’re happy to help. Contact our team .