HashiCorp Developer AI Private beta now available Sign up today
Boundary
Boundary for Kubernetes

Connect to Kubernetes using Boundary

  • 5min
  • |
  • Boundary
  • Vault

Deployment

In this tutorial you will take on the role of the developer team to connect to Kubernetes using Boundary with brokered credentials from Vault.

Prerequisites

This tutorial requires you to have completed the Connect to Kubernetes using Boundary configuration tutorial.

Connect to Kubernetes using the Boundary CLI

To connect to Kubernetes, a developer will need a Kubernetes service account and token. You will simulate this process using the Boundary administrative user.

You can learn how to create users in Boundary, and assign roles in the HCP administration or Self-managed administration tutorials.

  1. Ensure you have logged in to Boundary as the admin user. Enter the username and password for your Boundary instance.

    $ boundary authenticate
  Please enter the login name (it will be hidden):
  Please enter the password (it will be hidden):

  Authentication information:
    Account ID:      acctpw_NgTnYJHTls
    Auth Method ID:  ampw_PqQpz2sqvx
    Expiration Time: Wed, 19 Jul 2023 09:52:02 EDT
    User ID:         u_09ja9DkXo3

  The token was successfully stored in the chosen keyring and is not displayed here.

  2. Authorize a new session.

    $ BROKERED_KUBE_TOKEN=$(boundary targets authorize-session \
     -id $KUBE_TARGET_ID \
     -format json | jq -r '.item | .credentials[] | .secret | .decoded | .service_account_token') \
     && echo $BROKERED_KUBE_TOKEN

    Example output:

    eyJhbGciOiJSUzI1NiIsImtpZCI6IjhqNVZuSHZINkhwaDFBZnU2Y1ZzM2k1aUZ3elQwLWtFbnhjUVhGY2
ZKTEEifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiX
...snip...
uF8uZkBiNvte-afKzzbqdvMF3KdFNGSTf5hWx88SZJUJAzdpoKbYbd_jbksUx4Ek4WGZtybUGdLlGo9f4D
B4c0wSvqnMSAMOFaN67OCmeMSW-9eWKhKSR3c5EvAwZWq5w-SkdQ06-VzBHM-M8Yp2YqK698iluRG3nRYk
G4iz9g

  3. Create and switch to an empty kubectl context. This is done to ensure the kubectl config is not overriding parameters to connect to the Kubernetes cluster.

    $ kubectl config set-context empty && kubectl config use-context empty

Context "empty" created.
Switched to context "empty".

  4. Use the brokered service account token to authenticate with the minikube cluster. The server parameter is passed to the minikube cluster because the current kubectl config is set to an invalid cluster context.

    $ kubectl get pod --insecure-skip-tls-verify --server=$KUBE_API_URL --token=$BROKERED_KUBE_TOKEN
NAME    READY   STATUS    RESTARTS   AGE
nginx   1/1     Running   0          4d17h

Connect to Kubernetes using Boundary Desktop

Lastly, test the experience of connecting to the Kubernetes cluster using the Boundary Desktop app.

To log into Boundary using the Desktop App, the BOUNDARY_ADDR (Boundary cluster address) must be gathered.

If you use HCP Boundary, you can locate the BOUNDARY_ADDR in the HCP Boundary Admin Console, as demonstrated in the HCP Boundary Getting Started tutorial.

If you use Boundary in dev mode, the BOUNDARY_ADDR is http://127.0.0.1:9200.

  1. Open the Boundary desktop app.

  2. Enter the Boundary cluster URL (for example, https://ffee961b-5fd8-4e68-ba1d-2bbb487b576e.boundary.hashicorp.cloud) and click Submit.

  3. Authenticate using your Boundary admin user credentials.

    Boundary Desktop Login

  4. Under the Targets page, notice the target details for kubernetes-api. Click Connect.

    Kubernetes Desktop Target

    You are presented with a Proxy URL port number and a service_account_token.

  5. Click on the copy icon for the service_account_token.

  6. On your local terminal, paste the service account token into an environment variable:

    $ export BROKERED_KUBE_TOKEN=<YOUR_SERVICE_ACCOUNT_TOKEN>

  7. Next, paste the proxy port number from the Proxy URL into an environment variable:

    $ export KUBERNETES_PORT=<YOUR_PORT_NUMBER>

  8. Test the kubectl connection:

    $ kubectl get pod --insecure-skip-tls-verify --server http://127.0.0.1:$KUBERNETES_PORT --token $BROKERED_KUBE_TOKEN
NAME    READY   STATUS    RESTARTS   AGE
nginx   1/1     Running   0          68m

You can now use kubectl to connect to the Kubernetes API from Boundary.

Set the Kubernetes context

To decrease friction when using the kubectl command, you can set the Kubernetes context. This will automatically pass the TLS server name, server address, and brokered token when envoking kubectl.

Create a new kubectl context set called boundary. Set the server address, TLS server name, and path to the certificate authority file.

$ kubectl config set-cluster boundary-cluster --server=http://127.0.0.1:$KUBERNETES_PORT --insecure-skip-tls-verify=true
Cluster "boundary-cluster" set.

Set the credentials for the cluster context by creating a new user names boundary-user, and passing the BROKERED_KUBE_TOKEN.

$ kubectl config set-credentials boundary-user --token=$BROKERED_KUBE_TOKEN
User "boundary-user" set.

Set the new context.

$ kubectl config set-context boundary --cluster boundary-cluster --user boundary-user
Context "boundary" created.

And lastly, use the new context.

$ kubectl config use-context boundary

Test the kubectl CLI without any additional options.

$ kubectl get pods
NAME    READY   STATUS    RESTARTS   AGE
nginx   1/1     Running   0          74m

Note

When the Boundary session is terminated, the context will no longer be valid. Once a new session is authorized, set the boundary-cluster port again using KUBERNETES_PORT, and the boundary-user with BROKERED_KUBE_TOKEN.

Cleanup and teardown

  1. Clean up Boundary.

    If you used an HCP Boundary test cluster, consider cleaning up the cluster by deleting it, or deleting the org and its associated projects used for testing the Boundary and Kubernetes integration.

  2. Clean up Vault.

    If you use a HCP Vault Dedicated test cluster, consider cleaning up the cluster by deleting it. Ensure you only delete the cluster used for testing the Boundary and Kubernetes integration.

  3. Locate the terminal session used to execute the kubectl proxy --disable-filter=true server command, and execute ctrl+c.

  4. Delete the minikube cluster.

    $ minikube delete

  5. Unset the environment variables used in any active terminal windows for this tutorial.

Summary

This tutorial demonstrated configuring Boundary and Vault to facilitate just-in-time access to Kubernetes deployments.

To continue learning about Boundary, check out the Credential management tutorials.

Help and reference

Previous

Configure Boundary, Vault, and Kubernetes

 Next Collection

Boundary Enterprise

Deployment