For the last few years, our customers have been using BastionZero for zero-trust access to their Kubernetes clusters. BastionZero allows you to take your Kubernetes API off the public internet, limiting the risk of unauthorized access or scans by attackers. (If you search shodan.io for Kubernetes clusters you’ll find almost 1.4 million clusters open to the Internet! Just take them off. Why do you want to worry about attackers probing them for CVEs?)
BastionZero also eliminates the headaches of setting up Certificate Authorities (CAs) or Personal Access Tokens (PATs) for administrative access to a cluster, and our audit logging features capture kubectl commands, API calls, and any other action your engineers take using kubectl exec, giving you better visibility and supporting initiatives around compliance and forensics.
To set up access to Kubernetes clusters, administrators use Helm or YAML to deploy a bzero agent as a Kubernetes deployment inside your cluster. That bzero agent then phones home to the BastionZero SaaS, thus allowing the Kubernetes API to be accessible even if it is taken off the public Internet. BastionZero instead puts it behind Single Sign On (SSO), Multi Factor Authentication (MFA) and policy-based access control. Meanwhile, BastionZero’s multi-root zero trust security model protects your infrastructure even if your SSO provider is compromised.
Today, we’re broadly announcing the availability of a small and still very cool new feature for Kubernetes. To improve availability, we now support having multiple replicas of the bzero agent on a single cluster. That way, if a bzero agent is inadvertently removed from your cluster because a pod is evicted or the cluster is upgraded, you can have another one (or several) bzero agents there as backup to support uninterrupted access. For clusters that have even more stringent availability requirements, you can easily configure our Helm chart so agent deployments require replicas to span across Kubernetes availability zones with pod topology constraints.
You can find our bzero agent for Kubernetes on Docker Hub and instructions for our multi-replica support on this docs page. You can also use this agent as a proxy for zero-trust access to databases with BastionZero. Get in touch with our sales team if you’d like to chat more about how this architecture could be helpful to improve the security of your Kubernetes deployments!