LogoLogo
Documentation and Guides
Documentation and Guides
  • ABOUT APONO
    • Why Choose Apono
    • Security and Architecture
    • Glossary
  • GETTING STARTED
    • How Apono Works
    • Getting started
    • Access Discovery
    • Integrating with Apono
  • CONNECTORS AND SECRETS
    • Apono Integration Secret
    • High Availability for Connectors
    • Installing a connector with Docker
    • Manage integrations
    • Manage connectors
    • S3 Storage
  • AWS ENVIRONMENT
    • AWS Overview
    • Apono Connector for AWS
      • Installing a connector on EKS Using Terraform
      • Updating a connector in AWS
      • Installing a connector on AWS ECS using Terraform
    • AWS Integrations
      • Integrate an AWS account or organization
        • Auto Discover AWS RDS Instances
        • AWS Best Practices
      • Amazon Redshift
      • RDS PostgreSQL
      • AWS RDS MySQL
      • Integrate with EKS
      • AWS Lambda Custom Integration
      • EC2 via Systems Manager Agent (SSM)
  • AZURE ENVIRONMENT
    • Apono Connector for Azure
      • Install an Azure connector on ACI using Azure CLI
      • Install an Azure connector on ACI using PowerShell
      • Install an Azure connector on ACI using Terraform
      • Updating a connector in Azure
    • Azure Integrations
      • Integrate with Azure Management Group or Subscription
        • Auto Discover Azure SQL Databases
      • Azure MySQL
      • Azure PostgreSQL
      • Integrate with AKS
  • GCP ENVIRONMENT
    • Apono Connector for GCP
      • Installing a GCP connector on Cloud Run using CLI
      • Installing a GCP connector on GKE using CLI (Helm)
      • Installing a GCP connector on GKE using Terraform
      • Updating a connector in Google Cloud
    • GCP Integrations
      • Integrate a GCP organization or project
      • CloudSQL - MySQL
      • CloudSQL - PostgreSQL
      • Google Cloud Functions
      • Integrate with GKE
      • AlloyDB
  • KUBERNETES ENVIRONMENT
    • Apono Connector for Kubernetes
      • Installing a connector on Kubernetes with AWS permissions
      • Updating a Kubernetes connector
    • Kubernetes Integrations
      • Integrate with Self-Managed Kubernetes
  • ADDITIONAL INTEGRATIONS
    • Databases and Data Repositories
      • Microsoft SQL Server
      • MongoDB
      • MongoDB Atlas
      • MongoDB Atlas Portal
      • MySQL
      • Oracle Database
      • PostgreSQL
      • RabbitMQ
      • Redis Cloud (Redislabs)
      • Snowflake
      • Vertica
      • MariaDB
    • Network Management
      • SSH Servers
      • RDP Servers
      • Windows Domain Controller
      • AWS EC2 SSH Servers
      • Azure VM SSH Servers
      • Installing the Apono HTTP Proxy
    • Development Tools
      • GitHub
      • Rancher
    • Identity Providers
      • Okta SCIM
      • Okta Groups
      • Okta SSO for Apono logins
      • Google Workspace (Gsuite)
      • Google Workspace (GSuite) Groups
      • Azure Active Directory (Microsoft Entra ID)
      • Azure Active Directory (Entra ID) Groups
      • Jumpcloud
      • JumpCloud Groups
      • OneLogin
      • OneLogin Group
      • LDAP Groups
      • The Manager Attribute in Access Flows
      • HiBob
      • Ping Identity SSO
    • Incident Response Integrations
      • Opsgenie
      • PagerDuty
      • VictorOps (Splunk On-Call)
      • Zenduty
    • ChatOps Integrations
      • Slack integration
      • Teams integration
      • Backstage Integration
    • Secret Management
      • 1Password
  • WEBHOOK INTEGRATIONS
    • Webhooks Overview
    • Anomaly Webhook
    • Audit Log Webhook
    • Request Webhook
      • Custom Webhooks
      • Communications and Notifications
        • Slack Outbound Webhooks
        • Teams
        • Outlook and Gmail (Using Azure Logic App)
      • ITSM
        • Freshdesk
        • Jira
        • ServiceNow
        • Zendesk
        • Freshservice
        • ServiceDesk Plus
      • Logs and SIEMs
        • Coralogix
        • Datadog
        • Logz.io
        • Grafana
        • New Relic
        • SolarWinds
        • Sumo Logic
        • Cortex
        • Logpoint
        • Splunk
        • Microsoft Sentinel
      • Orchestration and workflow builders
        • Okta Workflows
        • Torq
    • Integration Webhook
    • Webhook Payload References
      • Audit Log Webhook Payload Schema Reference
      • Webhook Payload Schema Reference
    • Manage webhooks
    • Troubleshoot a webhook
    • Manual Webhook
      • ITSM
        • PagerDuty
  • ACCESS FLOWS
    • Access Flows
      • What are Access Flows?
    • Create Access Flows
      • Self Serve Access Flows
      • Automatic Access Flows
      • Access Duration
    • Manage Access Flows
      • Right Sizing
    • Revoke Access
    • Dynamic Access Management
      • Resource and Integration Owners
    • Common Use Cases
      • Ensuring SLA
      • Protecting PII and Customer Data
      • Production Stability and Management
      • Break Glass Protocol
    • Create Bundles
    • Manage Bundles
  • ACCESS REQUESTS AND APPROVALS
    • Slack
      • Requesting Access with Slack
      • Approving Access with Slack
      • Reviewing historical requests with Slack
    • Teams
      • Requesting Access with Teams
      • Approving Access with Teams
    • CLI
      • Install and manage the Apono CLI
      • Requesting Access with CLI
    • Web Portal
      • Requesting Access with the Web Portal
      • Approving Access with the Web Portal
      • Reviewing historical requests with the Web Portal
    • Freshservice
    • Favorites
  • Inventory
    • Inventory Overview
    • Inventory
    • Access Scopes
    • Risk Scores
    • Apono Query Language
  • AUDITS AND REPORTS
    • Activity Overview
      • Activity
      • Create Reports
      • Manage Reports
    • Compliance: Audit and Reporting
    • Auditing Access in Apono
    • Admin Audit Log (Syslog)
  • HELP AND DEBUGGING
    • Integration Status Page
    • Troubleshooting Errors
  • ARCHITECTURE AND SECURITY
    • Anomaly Detection
    • Multi-factor Authentication
    • Credentials Rotation Policy
    • Periodic User Cleanup & Deletion
    • End-user Authentication
    • Personal API Tokens
  • User Administration
    • Role-Based Access Control (RBAC) Reference
    • Create Identities
    • Manage Identities
Powered by GitBook
On this page
  • Overview
  • With Helm
  • Prerequisites
  • Step-by-step guide
  • Results and next steps
  • Troubleshooting
  • With Terraform
  • Prerequisites
  • Step-by-step guide
  • Results and next steps
  • Next Steps

Was this helpful?

Export as PDF
  1. KUBERNETES ENVIRONMENT

Apono Connector for Kubernetes

How to install a Connector on a Kubernetes cluster to integrate Kubernetes with Apono

PreviousAlloyDBNextInstalling a connector on Kubernetes with AWS permissions

Last updated 7 months ago

Was this helpful?

Overview

To integrate with Kubernetes and start managing JIT access to Kubernetes resources, you must first install a connector in your Kubernetes cluster.

This is can be done by one of the following methods:

  1. Helm

  2. Terraform

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal .

With Helm

An Apono connector is installed in the cloud platform managing your Kubernetes resource. The installation is made by running a Helm command with the necessary parameters.

Prerequisites

  • An existing Kubernetes project on one of the following platforms:

    • Google Kubernetes Engine (GKE)

    • Elastic Kubernetes Service (EKS)

    • Azure Kubernetes Engine (AKS)

    • Kubernetes (self-managed)

  • Helm

  • kubectl

Step-by-step guide

Find Your Integration Token

  1. Select any Kubernetes integration in the Catalog.

You can install a new connector from any Kubernetes New Integration form. Pick the one relevant to your network.

Connectors for EKS, GKE, AKS and self-managed Kubernetes work in the same way.

  1. From the drop-down list on the next page select Add a New Connector, and then select Help.

  2. Copy the token displayed toward the bottom of the page.

Install the Connector

Run the following Helm command in a terminal:

Without permissions

  • If you would like to install the connector in Kubernetes, but not grant Apono access to read or manage access to Kubernetes resources, use this code:

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=[APONO_TOKEN] \
    --set-string apono.connectorId=[CONNECTOR_NAME] \
    --set serviceAccount.manageClusterRoles=false \
    --namespace apono-connector \
    --create-namespace

With permissions

  • If you would like to install the connector in Kubernetes and grant Apono access to read and manage access to Kubernetes resources, use this code:

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=[APONO_TOKEN] \
    --set-string apono.connectorId=[CONNECTOR_NAME] \
    --set serviceAccount.manageClusterRoles=true \
    --namespace apono-connector \
    --create-namespace

Where:

  • [APONO_TOKEN] is the token copied from the integration page in the previous step.

  • [CONNECTOR_NAME] is any name you choose to give the connector.

Helm will finish with a message that the apono-connector has been installed.

Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

--set-string replicaCount=<number_of_replicas>

Results and next steps

The Kubernetes Connector is now installed.

  1. Return to the Add new integration form from step 1 for EKS, GKE, AKS or self-managed Kubernetes.

  2. The Connector is found by the form, marked by a green checkmark

You can now integrate Apono with your Kubernetes instance

Troubleshooting

  • If you are managing more than one Kubernetes cluster, you must be certain that the current context points to the cluster into which the Apono connector is to be added.

    • Get the current context with kubectl config current-context

    • Set the current context with kubectl config use-context [clustername]

With Terraform

An Apono connector is installed in the cloud platform managing your Kubernetes resource. The installation is made by adding an Apono module to your Terraform configuration.

Prerequisites

  • A Kubernetes project on one of the following platforms:

    • Google Kubernetes Engine (GKE)

    • Elastic Kubernetes Service (EKS)

    • Azure Kubernetes Engine (AKS)

    • Kubernetes (self-managed)

  • Terraform with the following providers:

    • Helm

    • Kubernetes

    • AWS

Step-by-step guide

Find Your Integration Token

  1. Select any Kubernetes integration in the Catalog.

You can install a new connector from any Kubernetes New Integration form. Pick the one relevant to your network.

Connectors for EKS, GKE, AKS and self-managed Kubernetes work in the same way.

  1. From the drop-down list on the next page select Add a New Connector, and then select Terraform.

  2. Copy the token displayed toward the bottom of the page.

Edit the Terraform Configuration

  1. Add the following to your Terraform module.

  • If you would like to install the connector in Kubernetes, but not grant Apono access to read or manage access to Kubernetes resources, use this code:

module "connector" {
    source = "github.com/apono-io/terraform-modules/k8s/connector-without-permissions/stacks/apono-connector"
    aponoToken = [APONO_TOKEN]
    connectorId = [CONNECTOR_NAME] // choose connector name
}
  • If you would like to install the connector in Kubernetes and grant Apono access to read and manage access to Kubernetes resources, use this code:

module "connector" {  
    source = "github.com/apono-io/terraform-modules/k8s/connector-with-permissions/stacks/apono-connector"  
    aponoToken = [APONO_TOKEN]  
    connectorId = [CONNECTOR_NAME] // choose connector name  
}

Where:

  • [APONO_TOKEN] is the token copied from the integration page in the previous step.

  • [CONNECTOR_NAME] is any name you choose to give the connector.

  1. Run terraform init. It will finish with the message: "Terraform has been successfully initialized!"

  2. Run terraform apply. It will finish with the message: "Apply complete! Resources: (N) added.."

Results and next steps

The Kubernetes Connector is now installed.

  1. Return to the Add new integration form from step 1 for EKS, GKE, AKS or self-managed Kubernetes.

  2. The Connector is found by the form, marked by a green checkmark

You can now integrate Apono with your Kubernetes instance

Next Steps

Read more .

Complete the integration with , , or .

Complete the integration with , , or .

Return to the , and select one of the following Kubernetes integrations:

security
here
EKS
GKE
AKS
self-managed Kubernetes
EKS
GKE
AKS
self-managed Kubernetes
Catalog
Google Kubernetes Engine (GKE)
Elastic Kubernetes Service (EKS)
Azure Kubernetes Engine (AKS)
Kubernetes (self-managed)
Without permissions
With permissions