Kubernetes Access

Enterprise Coming Soon

Secure, audited access to Kubernetes clusters without distributing kubeconfigs or exposing the API server.

Status: Code written and compiles. Currently in internal testing — not yet available in production builds.

Capabilities

Pod exec

Open a terminal into any pod from the browser. RedFox proxies the kubectl exec WebSocket stream through the bastion. Users never need direct API access.

Log streaming

Real-time log tailing for pods and containers. Filter by namespace, label selector, or container name.

Port forwarding

Forward a cluster service port to the user's browser session. Useful for accessing internal dashboards (Prometheus, Grafana) without exposing them.

Resource browser

View pods, deployments, services, configmaps and secrets (values masked) in a read-only UI. No kubectl required.

Configuration

  1. Register a cluster — Navigate to Targets → Add Target, select "Kubernetes", provide the API server URL and a service account token (stored in the credential vault).
  2. Namespace scoping — Restrict users to specific namespaces via RBAC policies. Map IdP groups to Kubernetes namespaces.
  3. Pod exec policies — Define which containers users can exec into, allowed commands, and session timeout.
  4. Connect — Users select a cluster and namespace, then pick a pod to exec into or view logs.

Security

  • RedFox acts as the sole entry point — the Kubernetes API server is never exposed to end users
  • Service account tokens are stored encrypted in the credential vault (AES-256-GCM)
  • All exec sessions and commands are recorded in the WORM audit log
  • Namespace-scoped RBAC prevents lateral movement within the cluster
  • JIT access supported: users request cluster access with approval workflow and TTL

Need help setting up Kubernetes access? Contact [email protected]. For Enterprise licensing, reach out to [email protected].