BOUNDARY - Different ways to connect to Kubernetes cluster

Avatar
Ashish Garg
  • Updated

 

Introduction

There are many approaches to connect to a Kubernetes cluster utilising Boundary, and we will concentrate on the CLI approach here.

This has been successfully tested with BOUNDARY enterprise 0.13.2.

Solution

First Method: via boundary connect kube CLI


# Need to export the boundary api address and authentication token
# Below command will generate the boundary authentication token
boundary authenticate password -auth-method-id=ampw_XkzcdFvzQx -login-name=loginkubernetes
export BOUNDARY_ADDR=CONTROLLER_API_ADDR
export BOUNDARY_TOKEN=TOKEN_VALUE

# This command will generate the service account token that will be required for authentication purpose to Kubernetes
boundary connect kube -target-id=TARGET_ID

# Once we get the service account token from above command, set it as an environment variable
export SVC_TOKEN=VAULE_FROM_ABOVE_COMMAND

# Run the below command which will list all the pods. 
boundary connect kube -target-id=TARGET_ID -- get pods --server {{boundary.addr}} --token $SVC_TOKEN --insecure-skip-tls-verify

Second Method: via target authorization CLI

# Authenticate to Boundary to generate the boundary token, which will then be exported as an env variable
boundary authenticate password -auth-method-id=ampw_XkzcdFvzQx -login-name=loginkubernetes

# Export the Boundary Api Addr and token
export BOUNDARY_ADDR=CONTROLLER_API_ADDR
export BOUNDARY_TOKEN=TOKEN_VALUE

# Authorise the target, using dummy value of target ID and Host ID here
boundary targets authorize-session -id=ttcp_3V4xgrRefL -host-id=hst_FwRbRDzM2l

# Get the Authorization token and service account token from the above command as it will be needed for generating the proxy and login to kubernetes cluster
export AUTH_TOKEN = authorization_token_from_above_command

# Generate the proxy url, port, session ID
boundary connect -authz-token=$AUTH_TOKEN

# Open a new session of the same VM & export the service account token from authorize target command and port from above command
export SVC_TOKEN = service_account_token_from_authorize_target_command
export PORT = get_port_from_above_boundary_connect_command
kubectl get pod --insecure-skip-tls-verify --server https://127.0.0.1:$PORT --token $KUBE_TOKEN

References:

 

 

 

 

 

Articles in this section

Related articles