Skip to content

Remote Kubernetes Sessions

Overview

Kubernetes environments introduce dynamic, short-lived workloads that are often accessed directly through cluster tooling rather than traditional host-based connections. This creates challenges for enforcing access controls, auditing activity, and securely handling authentication material used to access running containers.

The 12Port PAM platform provides secure, centralized remote session connectivity to Kubernetes containers by leveraging Kubernetes-native authentication and access mechanisms. Instead of granting direct access to Kubernetes credentials or cluster configuration files, users connect through managed PAM sessions that retrieve the required connection details from the Credential Vault at runtime.

By using PAM for Kubernetes connectivity, organizations can:

  • Centralize and protect Kubernetes authentication artifacts (API tokens, certificates, and keys)
  • Enforce role-based and (optionally) workflow-based access to namespaces, pods, and containers
  • Enable audited, policy-controlled interactive sessions to Kubernetes containers with full recording capabilities
  • Eliminate the need for local kubeconfig files or shared credentials on user workstations
  • Maintain full session traceability and event logging for compliance and troubleshooting

Remote access is established to individual Kubernetes containers running within pods and namespaces, using a Kubernetes asset as the authoritative source for connection and authentication details. This approach aligns Kubernetes access with the same privileged access workflows used for other infrastructure types, while preserving Kubernetes-native security boundaries.

Creating a Kubernetes Asset for Remote Connectivity

To enable secure remote connectivity to Kubernetes containers, you must create a Kubernetes asset that defines how the platform connects to the Kubernetes API and authenticates access. Some asset fields are required for session connectivity, while others are only required when using Kubernetes Discovery.

Asset Configuration

  1. Create a new asset using the Kubernetes asset type in the desired container.

    Note: The Kubernetes asset type is hidden by default and must be unhidden (Management > Asset Types) before it can be selected.

  2. Populate the asset fields as described below.

Connectivity Configuration

These fields are required to establish a remote session to a Kubernetes container.

  • Name: Enter a descriptive name for the Kubernetes asset.
  • Description: Optionally enter a description to provide additional context.
  • Host: Enter the hostname or IP address of the Kubernetes API server.
  • Port: Enter the port used to access the Kubernetes API server.
  • Namespace: Enter the name of the Kubernetes namespace containing the target pod. If omitted, the default namespace is used.
  • Pod: Enter the name of the Kubernetes pod containing the target container.
  • Container: Enter the name of the container to attach to. If omitted, the first container in the pod is used.
  • Command: Enter the command to execute within the container. Input and output will be attached to this command’s process. If omitted, no command is executed and input/output is attached to the container’s main process.

Authentication and Transport Security

These fields control how the platform authenticates to and secures communication with the Kubernetes host.

  • SSL: Enable to use SSL/TLS when connecting to the Kubernetes API server. By default, SSL/TLS is disabled.
  • Client Certificate: Specify the client certificate (PEM format) to use for SSL/TLS client authentication. If omitted, client certificate authentication is not performed.
  • Client Key: Specify the client key (PEM format) to use for SSL/TLS client authentication. If omitted, client certificate authentication is not performed.
  • CA Certificate: Specify the certificate authority certificate (PEM format) that signed the Kubernetes API server certificate. If omitted, system-wide trusted certificate authorities are used.
  • Trust Certificate: If enabled, SSL/TLS certificate validation errors from the Kubernetes API server are ignored. By default, server certificates are validated.

Discovery Configuration (Optional)

These fields are required only when using Kubernetes Discovery to discover or import Kubernetes objects.

  • Token: Specify the Kubernetes API token used for discovery and import operations.

3. Click Save to create the Kubernetes asset.
4. Use the Access button to validate connectivity and confirm that a session can be established successfully.

Security Considerations

  • API Token Protection
    Kubernetes API tokens grant access to cluster resources. Tokens stored in the Credential Vault should follow the principle of least privilege and be restricted to only the namespaces and operations required.
  • Certificate Validation
    Disabling certificate validation using Trust Certificate should only be used for testing or in tightly controlled environments. For production deployments, it is recommended to configure proper certificate authorities and enable full SSL/TLS validation.

Kubernetes Discovery (Optional)

In addition to manual configuration, the platform supports Kubernetes Discovery for automatically identifying Kubernetes namespaces, pods, and containers and optionally importing them into the Credential Vault.

Kubernetes Discovery can be used to generate a structured asset hierarchy directly from a Kubernetes cluster, reducing manual onboarding effort and ensuring consistency between the Kubernetes environment and the vault. Discovered containers can then be used as targets for remote connectivity using the same session access mechanisms described in this page.

For details on configuration, discovery modes, and import behavior, see Kubernetes Discovery.