Kubernetes access management

Beta release. See Enable self-service features.

The Kubernetes access management feature in Okta Privileged Access allows teams to automate the process of cluster onboarding, discovery, and authentication.

Features

Feature Description

Syncing available clusters to local devices.

The Okta Privileged Access client allows users to sync a list of clusters that are managed by Okta Privileged Access, context, and accounts to their local kubeconfig file.

Okta Privileged Access authentication in clusters

Teams can use Okta Privileged Access as an OpenID Connect (OIDC) provider to authenticate to clusters with their Okta credentials.

Terraform integration

The OktaPam Terraform provider allows teams to automate the process of adding clusters to Okta Privileged Access, generating OIDC URLs to enable the clusters to use Okta Privileged Access as an Identity Provider, and creating access control policies.

Cluster access control

Okta Privileged AccessK8s offers fine-grained access control to clusters. Teams can assign label selectors to each cluster and create Cluster Groups associated with specific Okta Privileged Access groups. These selectors control which Okta Privileged Access groups can access a specific cluster.

Minimal process disruption

Teams still control the creation and management of their K8s clusters. Okta Privileged Access is used solely for cluster discovery and authentication. Users can still interact with clusters using familiar tools like kubectl.

Usage

The Okta Privileged Access Kubernetes access management feature provides the most value in the following scenarios:

Feature Description
A team wants to deploy and troubleshoot applications hosted in Kubernetes clusters while complying with organizational security policies. Organizations can use Okta group memberships to determine which clusters each developer can access and what level of access is granted for each cluster.

With user lifecycle management features provided by Okta, organizations can quickly assign and revoke user access to the Kubernetes infrastructure in near real time.

A team wants to provide developers an insight into which Kubernetes clusters they can access, even if they haven't accessed a specific cluster previously.

This might be used to onboard a new developer or access a new cluster deployed in a new environment.

The Okta Privileged Access client can create and manage contexts in developer kubeconfig files. This allows developers to easily see any accessible clusters using familiar kubectl commands.

This eliminates the need for developers to manually manage kubeconfig files or consult internal wiki pages when onboarding new clusters.

A team wants to reduce the work required by cluster operators to support custom wrapper scripts and tools for developer access.

The need to manage cluster authentication tokens is eliminated. Cluster discovery and access are managed using local kubeconfig files and authentication is tied to the developer's Okta identity.

A team wants to provide a consistent end-user experience for authenticating to Kubernetes infrastructure, no matter where clusters are deployed (cloud/hybrid/on-prem).

Developers no longer need multiple tools to access IaaS-managed Kubernetes offerings, or to switch between different authentication methods to access self-managed or IaaS-managed clusters. Developers experience a simple and consistent authentication experience by using their Okta identity.

Limitations

  • All administrative operations to configure Okta Privileged Access Kubernetes access management must be performed using Terraform with the OktaPAM Terraform provider.
  • The client updates the list of available clusters only when the user runs a command that requires authentication with their Okta account (sft login, sft k8s list-clusters, and so on).

Related topics

Configure Kubernetes access management

Kubernetes cluster connections