Kubernetes

Overview

The Veza integration for Kubernetes enables gathering information about the RBAC roles existing in a cluster, and who has permissions on Kubernetes services and resources.

The integration supports self-hosted deployments and managed Kubernetes services. If you've also integrated Microsoft Azure or Amazon Web Services with Veza, the Kubernetes integration can show authorization relationships connecting users and Kubernetes services, clusters, and roles.

For example, for AWS EKS, the integration provides visibility into:

• K8s Clusters in EKS services

• Service-linked roles for EKS

• AWS IAM Users and Roles with access to K8s clusters

• Paths connecting IAM User → AWS IAM Role → AWS EKS Services → K8s RBAC → K8s Clusters

See Notes and Supported Entities for more details.

Configuring Kubernetes

You must install an Insight Point within the cluster to enable a secure connection and collect Kubernetes RBAC metadata. Follow the instructions in Insight Point (Helm Chart Installation) to get a Veza-provided OCI image.

Configuring Kubernetes on the Veza Platform

1. In Veza, open the Integrations page.

2. Click Add Integration and pick Kubernetes as the type of integration to add

3. Enter the required information and Save the configuration.

Generic Kubernetes Deployment

To integrate with a cluster that is not managed in EKS, AKS, or GKE, enter the:

• Cluster ID: the unique identifier of the Kubernetes cluster to discover, containing the specified Insight Point. The exact format can vary depending on environment where the Kubernetes cluster is deployed, e.g. us-east-onprem-cluster.

AWS Elastic Kubernetes Service (EKS)

To integrate with Kubernetes on EKS, enter the:

• Cluster ID: ARN of the EKS cluster, e.g. arn:aws:eks:us-east-1:123456789012:cluster/my-eks-cluster

• Tenant ID: ID of the parent AWS account, e.g. 123456789012

Microsoft Azure Kubernetes Service (AKS)

To integrate with Kubernetes on AKS, enter the:

• Cluster Name: Human-readable name of the cluster in AWS, e.g. example-cluster

• Tenant ID: ID of the parent Azure tenant. This is an Azure Directory ID in the format 12345678-9abc-def0-1234-56789abcdef0

• Subscription ID: Globally unique identifier assigned to the parent Azure subscription, e.g. 12345678-9abc-def0-1234-56789abcdef0

• Resource Group: Name of the logical container the cluster is located, e.g. myResourceGroup.

Google Kubernetes Engine (GKE)

To integrate with Kubernetes on GKE, enter the:

• Project ID: Unique identifier for the Google Cloud Project, e.g. project-id

• Location: Geographic area of the GKE Service, e.g. us-central1

• Cluster Name: Name of the cluster to discover, e.g. gke-cluster-name

Notes and Supported Entities

Kubernetes Cluster

Kubernetes clusters contain groups of nodes that work together to run containerized applications and services.

Kubernetes Group

Kubernetes Role

Roles represent permissions granted to a user or a group of users within a specific namespace. A cluster role is a set of permissions that can be granted to a user or a group of users within the entire cluster.

Kubernetes Role Binding

A Role Binding connects a Role (or a ClusterRole) to a user, a group of users or a service account within a specific namespace. Cluster Role Bindings connect a ClusterRole to a user, a group of users or a service account within the entire cluster.

Kubernetes Service Account

An identity used by applications running in the Kubernetes cluster to authenticate and interact with the Kubernetes API server.

Kubernetes User

A local identity used to authenticate and interact with a cluster. Assigned roles allow users to perform specific actions within namespaces or across the entire cluster.