Sign in Subscribe

Kubectl SSH Access Proxy: Simplify and Secure Cluster Access

Andrios Robert

3 min read

Direct access to Kubernetes clusters often opens up significant security risks and operational challenges. While SSH remains a popular way to manage resources, combining it with kubectl for secure cluster access demands a deliberate approach. Using a Kubectl SSH Access Proxy can help bridge the gap between strong security controls and developer efficiency.

This article breaks down the concept of a Kubectl SSH Access Proxy, its advantages, and how to implement it effectively.

What is a Kubectl SSH Access Proxy?

A Kubectl SSH Access Proxy is a mechanism that allows users to securely access Kubernetes cluster resources without needing direct access to the node or cluster network. It uses SSH as a controlled gateway while routing commands through kubectl, ensuring cluster access aligns with organizational security policies.

Why You Should Use a Kubectl SSH Access Proxy

While SSH is a familiar tool for managing and troubleshooting infrastructure, giving unrestricted SSH access to Kubernetes nodes can expose clusters to unintended consequences, such as unauthorized access, accidental configuration changes, or unsecure networks. On the other hand, a proxy-centric approach centralizes and secures communication, addressing these concerns.

Here are the key benefits:

  • Improved Security: Restrict direct SSH access to nodes, shielding the cluster from potential attacks while still allowing controlled operator actions.
  • Granular Access Control: Policies can regulate which users can perform specific operations, maintaining principle-of-least-privilege practices.
  • Logging and Auditing: Centralized proxies enable better monitoring of Kubernetes access, outputting logs for compliance and forensics.
  • Simplicity: Reduce operational overhead by avoiding traditional VPN dependencies or complex SSH configurations.

Steps to Set Up a Kubectl SSH Access Proxy

Here’s a high-level guide to implement a Kubectl SSH Access Proxy:

Step 1: Enable Kubernetes API Server Proxy

Kubernetes offers an API server proxy (or reverse proxy) that acts as a gateway for managing cluster resources. This feature forwards requests via the kubectl proxy command, ensuring all actions are routed through the API.

kubectl proxy --address='0.0.0.0' --accept-hosts='.*'

While extremely lightweight, this method isn't secure for production use unless paired with additional access controls and network boundaries.

Step 2: Configure an SSH Bastion Host

Create a dedicated SSH bastion host, positioned to mediate all cluster-level requests.

  1. Limit access to the bastion by IP and user role.
  2. Install kubectl in the bastion host and ensure kubeconfig is properly configured to access the API server.
  3. Use SSH tunnels to channel client connections through this host.

Example SSH tunneling setup:

ssh -L 8001:127.0.0.1:8001 bastion_host
kubectl --kubeconfig=/path/to/config

Step 3: Implement Role-Based Access Control (RBAC)

Pair the SSH proxy with Kubernetes RBAC policies to enforce fine-grained per-user or per-group access:

  • Define roles for cluster operations with specific permissions (e.g., read-only, namespace admin).
  • Bind roles to users or groups allowed to interface through the proxy.

Example:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
 namespace: default
 name: read-only-role
rules:
- apiGroups: [""]
 resources: ["pods"]
 verbs: ["get", "list"]

Step 4: Use Access Logs and Monitoring

Ensure the proxy setup includes logging to track all access attempts and requests made through SSH and kubectl. Integrated monitoring tools, such as Fluentd or ELK stack, can help centralize these logs.

Common Pitfalls

  • Falling Back on Direct Node Access: Avoid sidestepping the proxy during emergencies; establish emergency-only automated procedures instead.
  • Excessive Permissions: Review RBAC policies regularly to avoid exposing sensitive data or system-level controls.
  • Unencrypted Proxy Connections: Always enforce TLS encryption to secure data in transit.
  • Manual SSH Key Management: Use centralized key or identity management tools (e.g., AWS IAM Authenticator, Google Workload Identity, or boundary tools).

Make it Easy with hoop.dev

Building and managing your Kubectl SSH Access Proxy setup can quickly become a balancing act between security and developer experience. With hoop.dev, you can remove the complexity of creating secure and seamless Kubernetes cluster access in minutes.

Skip fiddling with bastion hosts and manual configurations. See it live—hoop.dev delivers secure, proxy-based access with just a few clicks. Experiment freely while knowing critical risks are handled automatically. Check it out today!