Kubernetes
Configuring the Veza integration for Kubernetes
Overview
The Veza integration for Kubernetes enables gathering information about the RBAC roles existing in a cluster, and who has permissions on Kubernetes services and resources.
The integration supports self-hosted deployments and managed Kubernetes services. If you've also integrated Microsoft Azure or Amazon Web Services with Veza, the Kubernetes integration can show authorization relationships connecting users and Kubernetes services, clusters, and roles.
For example, for AWS EKS, the integration provides visibility into:
K8s Clusters in EKS services
Service-linked roles for EKS
AWS IAM Users and Roles with access to K8s clusters
Paths connecting IAM User → AWS IAM Role → AWS EKS Services → K8s RBAC → K8s Clusters
See Notes and Supported Entities for more details.
Configuring Kubernetes
You must install an Insight Point within the cluster to enable a secure connection and collect Kubernetes RBAC metadata. Follow the instructions in Insight Point (Helm Chart Installation) to get a Veza-provided OCI image.
Configuring Kubernetes on the Veza Platform
In Veza, open the Integrations page.
Click Add Integration and pick Kubernetes as the type of integration to add
Enter the required information and Save the configuration.
Field | Notes |
---|---|
Insight Point | Pick the Insight Point deployed in the cluster. |
Name | A friendly name to identity the unique integration. |
Platform | Choose a supported provider, or use the generic Kubernetes integration. |
Generic Kubernetes Deployment
To integrate with a cluster that is not managed in EKS, AKS, or GKE, enter the:
Cluster ID: the unique identifier of the Kubernetes cluster to discover, containing the specified Insight Point. The exact format can vary depending on environment where the Kubernetes cluster is deployed, e.g.
us-east-onprem-cluster
.
AWS Elastic Kubernetes Service (EKS)
To integrate with Kubernetes on EKS, enter the:
Cluster ID: ARN of the EKS cluster, e.g.
arn:aws:eks:us-east-1:123456789012:cluster/my-eks-cluster
Tenant ID: ID of the parent AWS account, e.g.
123456789012
Microsoft Azure Kubernetes Service (AKS)
To integrate with Kubernetes on AKS, enter the:
Cluster Name: Human-readable name of the cluster in AWS, e.g.
example-cluster
Tenant ID: ID of the parent Azure tenant. This is an Azure Directory ID in the format
12345678-9abc-def0-1234-56789abcdef0
Subscription ID: Globally unique identifier assigned to the parent Azure subscription, e.g.
12345678-9abc-def0-1234-56789abcdef0
Resource Group: Name of the logical container the cluster is located, e.g.
myResourceGroup
.
Google Kubernetes Engine (GKE)
To integrate with Kubernetes on GKE, enter the:
Project ID: Unique identifier for the Google Cloud Project, e.g.
project-id
Location: Geographic area of the GKE Service, e.g.
us-central1
Cluster Name: Name of the cluster to discover, e.g.
gke-cluster-name
Notes and Supported Entities
Kubernetes Cluster
Kubernetes clusters contain groups of nodes that work together to run containerized applications and services.
Attribute | Description |
---|---|
Platform Tenant ID | Tenant ID for managed clusters. |
AWS Account ID | Identifies the AWS account (optional). |
Kubernetes Group
Attribute | Description |
---|---|
Associated Role Bindings | Associated with multiple role bindings. |
Kubernetes Role
Roles represent permissions granted to a user or a group of users within a specific namespace. A cluster role is a set of permissions that can be granted to a user or a group of users within the entire cluster.
Attribute | Description |
---|---|
Is Cluster Wide | Indicates if role is cluster-wide. |
Namespace | Specifies the namespace (optional). |
Kubernetes Role Binding
A Role Binding connects a Role (or a ClusterRole) to a user, a group of users or a service account within a specific namespace. Cluster Role Bindings connect a ClusterRole to a user, a group of users or a service account within the entire cluster.
Attribute | Description |
---|---|
Is Cluster Wide | Indicates if role binding is cluster-wide. |
Kubernetes Service Account
An identity used by applications running in the Kubernetes cluster to authenticate and interact with the Kubernetes API server.
Attribute | Description |
---|---|
Namespace | Specifies the namespace (optional). |
Kubernetes User
A local identity used to authenticate and interact with a cluster. Assigned roles allow users to perform specific actions within namespaces or across the entire cluster.
Last updated