The Axiom Kubernetes Integration leverages the generation of Kubernetes service accounts, tokens, roles, and role bindings in order to provision access.
When a user access request is approved, Axiom will create a service account, a token and a role binding.
The user will then be able to use the generated service account token in order to authenticate into the cluster.
When the access expires, all of the created resources are automatically deleted.
Setup
Axiom connects to Kubernetes using its own service account.
Prerequisites:
Ensure you have kubectl installed and configured to communicate with your Kubernetes cluster.
Ensure you have admin access to your Kubernetes cluster to create service accounts and assign cluster-wide permissions.
To integrate your Kubernetes cluster with Axiom system, follow the steps below:
Step 1: Integration Setup
Navigate to Axiom console integration page to Add a new Kubernetes cluster and fill in the following details:
Alias: A unique name to represent your cluster.
API Server Endpoint: The Fully Qualified Domain Name (FQDN) or IP address of your Kubernetes API server.
Step 2: Deploying the Integration
Download and Deploy the YAML Configuration: Replace
<YOUR_NAMESPACE>with your desired namespace to deploy the downloaded YAML file and deploy it by running:kubectl apply -f axiom-integration-sa.yaml
Retrieve and Upload the Service Account Secret:
Execute the command provided to retrieve the ServiceAccount secret and upload it as instructed.kubectl get secret axiom-integration-secret -n <YOUR_NAMESPACE> -o jsonpath='{.data.token}' | base64 --decode > secret.txtUpload Cluster CA (Base64 encoded)
To obtain the PEM encoded CA certificate, for a native Kubernetes cluster, usekubectl config view --rawand findcertificate-authority-dataunder the cluster section.
For AWS EKS , runaws eks describe-cluster --name <ClusterName> --query 'cluster.certificateAuthority.data' --output text
Integration with Axiom Runner
When using an Axiom Runner, Ensure the secret manager connected to the runner has a matching secret under /axiom-security/kubernetes/{API Server Endpoint}.
Alias should match the alias that is used in Step 1: Integration Setup above
Secret Name:
axiom-security/k8s/<API Server Endpoint>
Secret Value:
Key/value
k8s_cluster_name = <Alias>
k8s_fqdn = <API Server Endpoint>
k8s_cert_secret = <Service Account Token>
k8s_cert_authority = <Cluster CA>
Example
{
"k8s_cluster_name": "<Alias>",
"k8s_fqdn": "<API Server Endpoint>",
"k8s_cert_secret": "<Service Account Token>",
"k8s_cert_authority": "<Cluster CA>"
}
Connect
Once an access request has been approved, a user will see his active Kubernetes access on his home page, and by clicking Connect, he can view the token and suggested connection options.
Option 1: Download and Set KUBECONFIG Environment Variable
Press the "Download kubeconfig" Button
Set KUBECONFIG Environment variable with
export KUBECONFIG=path/of/downloaded/kubeconfig
Option 2: Configure existing kubeconfig via CLI
Copy the content of the shown section and Run the commands in your terminal.
Should look like this:
# Step 1: Add the new cluster to the kubeconfig
kubectl config set-cluster $CLUSTER_NAME --server=$CLUSTER_SERVER_ADDRESS
# Step 2: Add the new user with the token
kubectl config set-credentials $USER_NAME --token=$TOKEN
# Step 3: Create a new context that links the cluster and the user
kubectl config set-context $CONTEXT_NAME --cluster=$CLUSTER_NAME --user=$USER_NAME
# Step 4: Set the newly created context as the current context
kubectl config use-context $CONTEXT_NAME
# Optional: Verify the current context
kubectl config current-context