Securely manage a K8s cluster using kubectl

Use case: You’d like to use Twingate to manage services on a K8S Cluster using kubectl without exposing your cluster’s API endpoint to the public Internet.

• Deploy Connector(s) outside the target K8s cluster. This Connector will be used to secure access to your cluster’s API endpoint. The only requirement is that the Connector must have network access to the API endpoint. Neither the Connector nor the API endpoint should be accessible from the public Internet.
• Create a new Twingate Resource with the cluster’s API endpoint address (eg. 10.1.1.15). This will allow kubectl to connect to the API endpoint while connected to Twingate.
• On your local machine where you are using kubectl, modify your kubectl configuration to connect to the API endpoint address you configured in the previous step. Although this address is not directly accessible from your local machine, while connected to Twingate, we will automatically proxy traffic to the API endpoint via the Connector you deployed in the first step.

# Example kubectl config command
# 10.1.1.15 is an example private K8s API endpoint defined as a Resource in Twingate

kubectl config set-cluster example-cluster --server=https://10.1.1.15

As long as you are connected to Twingate, and you are authorized to access to the K8s cluster’s API endpoint Resource, you will be able to use kubectl to manage your K8s cluster securely without setting up a separate K8s proxy.