Skip to content

Remotely Access Deployment Cells

Remotely Access Any Deployment Cell (Kubernetes Cluster) with Omnistrate's Secure CLI

Omnistrate is revolutionizing how service providers manage and interact with their deployment cells. A new feature that now provides a secure and standardized way to remotely access the Kubernetes API of any deployment cell. This capability eliminates the need for complex networking configurations or additional permissions in the target account.

This new functionality allows you to securely connect to any Kubernetes cluster, whether it's running in your own cloud account, a customer's account, or across different cloud providers and regions.

Key Benefits

  • Simplified Operations: Gain direct access to any managed Kubernetes cluster with a single command. This removes the need for bastion hosts, VPNs, or managing separate credentials for each environment, dramatically simplifying day-to-day operations.
  • Standardized Cross-Channel Management: Whether you're debugging an issue in a development cluster or a production instance running in a customer's environment, the process is identical. This standardization reduces complexity and the risk of human error.
  • Enhanced Security: All connections are established over a secure mTLS (mutual TLS) channel using reverse tunneling. This means you don't need to expose the Kubernetes API server to the public internet or open inbound firewall ports in the target account. Access is further protected by short-term tokens, ensuring a robust Zero Trust security model.
  • Seamless Tool Integration: Your existing Kubernetes tooling, including kubectl, k9s, and helm, works out-of-the-box. Once the secure connection is established, you can use your preferred tools to manage and inspect your applications and services.

How It Works: Secure by Design

Omnistrate's remote access feature is built on a foundation of security and simplicity. When you initiate a remote session, the following happens:

  1. Secure Tunneling: A secure reverse tunnel is created from your local machine to the target Kubernetes cluster. This connection is protected with mTLS, ensuring that both the client and server authenticate each other's identity through trusted certificates.
  2. Dynamic Configuration: The Omnistrate CLI (omnistrate-ctl) dynamically updates your local kubeconfig file with temporary, short-lived credentials for the target cluster.
  3. Direct API Access: With the kubeconfig updated, kubectl and other Kubernetes-native tools can securely communicate with the cluster's API server through the mTLS tunnel.

This architecture ensures that access is granted on-demand and is automatically revoked, without ever exposing the cluster's control plane to external threats.

Getting Started: A Step-by-Step Guide

Interacting with your remote clusters is straightforward using the Omnistrate CLI.

Step 1: List Your Deployment Cells

To see all the deployment cells you manage, run the following command (More details): 

omnistrate-ctl deployment-cell list

+----------------+-------------------------------+---------------------+----------------------------+---------------------------------------------+--------------+-------------+---------+------------+
| CLOUD_PROVIDER | CURRENT_NUMBER_OF_DEPLOYMENTS | CUSTOMER_EMAIL      | CUSTOMER_ORGANIZATION_NAME | HEALTH_STATUS                               | ID           | REGION      | STATUS  | TYPE       |
+----------------+-------------------------------+---------------------+----------------------------+---------------------------------------------+--------------+-------------+---------+------------+
| azure          |                             1 | <nil>               | <nil>                      | Status: UNKNOWN | Entities: 0/0 healthy     | hc-x7n2kp9q4 | eastus2     | FAILED  | Kubernetes |
| gcp            |                             4 | <nil>               | <nil>                      | Status: HEALTHY | Entities: 556/556 healthy | hc-3m8vt5hy2 | us-central1 | RUNNING | Kubernetes |
| aws            |                             2 | <nil>               | <nil>                      | Status: HEALTHY | Entities: 195/195 healthy | hc-p4j6wd3n7 | us-east-1   | RUNNING | Kubernetes |
| aws            |                             1 | <nil>               | <nil>                      | Status: HEALTHY | Entities: 139/139 healthy | hc-k9z1bf8c5 | us-west-2   | RUNNING | Kubernetes |
| aws            |                             0 | <nil>               | <nil>                      | Status: UNKNOWN | Entities: 0/0 healthy     | hc-v2q7rx4m1 | ap-south-1  | FAILED  | Kubernetes |
| aws            |                             1 | [email protected] | Omnistrate                 | Status: HEALTHY | Entities: 242/242 healthy | hc-h5y8sg2w6 | us-east-1   | RUNNING | Kubernetes |
+----------------+-------------------------------+---------------------+----------------------------+---------------------------------------------+--------------+-------------+---------+------------+
This command provides a comprehensive overview of your clusters, including their health status, region, and the customer account they belong to.

Step 2: Connect to a Remote Cluster

To establish a secure session with a specific deployment cell, use the update-kubeconfig command. You will need the ID of the deployment cell from the list in the previous step. If the cluster belongs to a customer, you will also need their email address. More details

omnistrate-ctl deployment-cell update-kubeconfig hc-h5y8sg2w6 --customer-email [email protected]

This command will securely update your local kubeconfig file. The path to the updated configuration will be displayed in your terminal.

You can also specify a custom path for the kubeconfig file:

omnistrate-ctl deployment-cell update-kubeconfig hc-h5y8sg2w6 --customer-email [email protected] --kubeconfig /path/to/custom/kubeconfig

Step 3: Interact with Your Cluster

You are now securely connected to the remote Kubernetes cluster. You can use your favorite tools to manage your applications. For example, you can list the namespaces in the cluster:

# Set the KUBECONFIG environment variable to the path provided by the previous command
export KUBECONFIG=/tmp/kubeconfig

# Use kubectl to interact with the cluster
# Check if you can create pods in the current namespace
kubectl auth can-i create pods
no

# Check if you can create pods in a specific namespace
kubectl auth can-i create pods --namespace=kube-system
no

By default, the kubeconfig will assume a read-only cluster-wide role (cluster-reader). If you need to perform administrative tasks, you can specify a different role:

omnistrate-ctl deployment-cell update-kubeconfig hc-h5y8sg2w6 --customer-email [email protected] --role cluster-admin

You can also use tools like k9s for a more interactive terminal UI to manage your cluster's resources, view logs, and much more, all through the secure Omnistrate tunnel.