Secure Access Sharing to Kubernetes Clusters#
Sharing access to Kubernetes clusters can be challenging. You might have to work with IAMs from different providers, have a bunch of dedicated tooling installed, get access to kubectl files, make those files work with your kubectl and finally ensure you are in the same network with the target cluster API. Because of this difficulty, users might bypass security best practices. We have addressed this challenge and made it easy for Lens users to access and share access to clusters without compromising security.
When you use Spaces, you’ll get the option to share access to your cluster and accept invitations from others to access their clusters. To make this possible, we created an entirely new technology: Cluster Connect. It allows Lens users to connect any of their clusters to Spaces without requiring an inbound port to be enabled on the firewall. It utilizes end-to-end encryption to secure connections between users and clusters, eliminating the need for a VPN. This means there is no need to expose the Kubernetes API via the Internet. Developers and operators can access and work with their Kubernetes clusters easily from anywhere.
How does it work?#
- Lens Spaces will aggregate all connected Kubernetes clusters and will expose them via secured Lens K8S Proxy to end users.
- Kubernetes clusters are added by installing Cluster Connect Agent in the desired clusters. This is done automatic if cluster admin wants to share cluster with Lens Space. The agent will open authenticated and secure connection from cluster to Lens Spaces.
- End users will obtain kubeconfigs to their clusters from Lens Spaces. These kubeconfigs are used by Lens K8S Proxy to authenticate users and tunnel requests to specific cluster. Cluster Connect Agent will translate proxied requests to match desired Kubernetes RBAC user / group.
Cluster Connect Regions#
Cluster Connect supports different Regions for the Lens K8S Proxy Server infrastructure. Choose a region which is geographically closest to the cluster when installing the Cluster Connect agent to maximise performance.
- United States of America
In order to change the region you need to uninstall and re-install the Cluster Connect Agent from your local Clusters Settings.
Cluster Connect Technical Details#
- Cluster Connect is based on BoreD OSS software:
- BoreD (OSS container image) 1 per Space is used to create a secure tunnel between Lens IDE and the cluster
- BoreD Agent is a one time install and uses the native Kubernetes impersonate functionality (industry standard)
Cluster Connect IP Allowlist#
If you require the IP addresses used by the Cluster Connect environment please use the list of IP addresses below:
United States of America Region#
If you require the IP addresses used by the Spaces Client please use the list of IP addresses below: