# Kubernetes ### Overview The Veza integration for Kubernetes enables gathering information about the RBAC roles existing in a cluster, and who has permissions on Kubernetes services and resources. The integration supports self-hosted deployments and managed Kubernetes services. If you've also integrated Microsoft Azure or Amazon Web Services with Veza, the Kubernetes integration can show authorization relationships connecting users and Kubernetes services, clusters, and roles. For example, for AWS EKS, the integration provides visibility into: * K8s Clusters in EKS services * Service-linked roles for EKS * AWS IAM Users and Roles with access to K8s clusters * Paths connecting IAM User → AWS IAM Role → AWS EKS Services → K8s RBAC → K8s Clusters See [Notes and Supported Entities](#notes-and-supported-entities) for more details. ### Configuring Kubernetes You must install an Insight Point within the cluster to enable a secure connection and collect Kubernetes RBAC metadata. Follow the instructions in [Insight Point (Helm Chart Installation)](/4yItIzMvkpAvMVFAamTf/integrations/connectivity/insight-point/insight-point-kubernetes.md) to get a Veza-provided OCI image. ### Configuring Kubernetes on the Veza Platform 1. In Veza, open the **Integrations** page. 2. Click *Add Integration* and pick Kubernetes as the type of integration to add 3. Enter the required information and *Save* the configuration. | Field | Notes | | ------------- | ----------------------------------------------------------------------- | | Insight Point | Pick the Insight Point deployed in the cluster. | | Name | A friendly name to identify the unique integration. | | Platform | Choose a supported provider, or use the generic Kubernetes integration. | #### Generic Kubernetes Deployment To integrate with a cluster that is not managed in EKS, AKS, or GKE, enter the: * Cluster ID: the unique identifier of the Kubernetes cluster to discover, containing the specified [Insight Point](/4yItIzMvkpAvMVFAamTf/integrations/connectivity/insight-point/insight-point-kubernetes.md). The exact format can vary depending on environment where the Kubernetes cluster is deployed, e.g. `us-east-onprem-cluster`. #### AWS Elastic Kubernetes Service (EKS) To integrate with Kubernetes on EKS, enter the: * Cluster ID: ARN of the EKS cluster. Veza supports standard AWS, AWS China, and AWS GovCloud ARN formats: * Standard: `arn:aws:eks:us-east-1:123456789012:cluster/my-eks-cluster` * China: `arn:aws-cn:eks:cn-north-1:123456789012:cluster/my-eks-cluster` * GovCloud: `arn:aws-us-gov:eks:us-gov-west-1:123456789012:cluster/my-eks-cluster` * Tenant ID: ID of the parent AWS account, e.g. `123456789012` #### Microsoft Azure Kubernetes Service (AKS) To integrate with Kubernetes on AKS, enter the: * Cluster Name: Human-readable name of the cluster in AWS, e.g. `example-cluster` * Tenant ID: ID of the parent Azure tenant. This is an Azure Directory ID in the format `12345678-9abc-def0-1234-56789abcdef0` * Subscription ID: Globally unique identifier assigned to the parent Azure subscription, e.g. `12345678-9abc-def0-1234-56789abcdef0` * Resource Group: Name of the logical container the cluster is located, e.g. `myResourceGroup`. #### Google Kubernetes Engine (GKE) To integrate with Kubernetes on GKE, enter the: * Project ID: Unique identifier for the Google Cloud Project, e.g. `project-id` * Location: Geographic area of the GKE Service, e.g. `us-central1` * Cluster Name: Name of the cluster to discover, e.g. `gke-cluster-name` ### Notes and Supported Entities #### Kubernetes Cluster Kubernetes clusters contain groups of nodes that work together to run containerized applications and services. | Attribute | Description | | ------------------ | -------------------------------------- | | Platform Tenant ID | Tenant ID for managed clusters. | | AWS Account ID | Identifies the AWS account (optional). | #### Kubernetes Group | Attribute | Description | | ------------------------ | --------------------------------------- | | Associated Role Bindings | Associated with multiple role bindings. | #### Kubernetes Role Roles represent permissions granted to a user or a group of users within a specific namespace. A cluster role is a set of permissions that can be granted to a user or a group of users within the entire cluster. | Attribute | Description | | --------------- | ----------------------------------- | | Is Cluster Wide | Indicates if role is cluster-wide. | | Namespace | Specifies the namespace (optional). | #### Kubernetes Role Binding A Role Binding connects a **Role** (or a **ClusterRole**) to a user, a group of users or a service account within a specific namespace. Cluster Role Bindings connect a **ClusterRole** to a user, a group of users or a service account within the entire cluster. | Attribute | Description | | --------------- | ------------------------------------------ | | Is Cluster Wide | Indicates if role binding is cluster-wide. | #### Kubernetes Service Account An identity used by applications running in the Kubernetes cluster to authenticate and interact with the Kubernetes API server. | Attribute | Description | | --------- | ----------------------------------- | | Namespace | Specifies the namespace (optional). | #### Kubernetes User A local identity used to authenticate and interact with a cluster. Assigned roles allow users to perform specific actions within namespaces or across the entire cluster. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/kubernetes.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.