How To Achieve Zero Trust In Kubernetes With Pomerium

Modern Kubernetes environments don’t have a perimeter (a single, predictable network boundary). Apps span clouds. Teams work from anywhere. Legacy security models—built on assumptions of a trusted internal network—start to fall apart.

To protect infrastructure in this world, you need a different approach. One that assumes breach, verifies every request, and scales with your teams.

That’s where Pomerium comes in.

Why Zero Trust Matters in Kubernetes

Kubernetes wasn’t designed with identity-aware access in mind. It assumes internal traffic is safe and often relies on long-lived credentials or static configurations.

But when a developer laptop gets compromised or a pod gets breached, trust based on network location becomes a liability.

Zero Trust flips the model. Trust nothing by default. Require proof of identity and authorization on every request—across users, services, and tools like kubectl.

Zero Trust for Real-World Infrastructure

Pomerium is an identity-aware access proxy that enforces Zero Trust by evaluating policy for each request. Whether it's a human accessing a dashboard or a developer running kubectl, every action is authenticated and authorized before it reaches your cluster.

When deployed to Kubernetes, Pomerium gives you:

• Secure access to internal services without a VPN

• Fine-grained policies tied to identity and context

• SSO-backed kubectl access using your IdP

• Complete visibility into who accessed what and when

Here's how to get started.

Step 1: Deploy Pomerium as an Ingress Controller

Pomerium offers a native Kubernetes Ingress Controller that turns ingress into an identity-aware, policy-driven access point. It watches Ingress resources and automatically programs routes based on your policies.

Install via Kustomize:

kubectl apply -k "github.com/pomerium/ingress-controller/config/default?ref="

Once installed, you configure global settings using the Pomerium CRD or a ConfigMap, including your IdP credentials and certificate secrets. All traffic is secured with TLS and identity-enforced by default.

Example: Securing a Service with Identity

To expose an internal service, add the pomerium Ingress class and policy annotations:

annotations:
  ingress.pomerium.io/allow_any_authenticated_user: "true"
  ingress.pomerium.io/pass_identity_headers: "true"

Want tighter control? Use a policy annotation:

annotations:
  ingress.pomerium.io/policy: |
    - allow:
        or:
          - domain:
              is: example.com

Step 2: Enable Zero Trust kubectl Access

Pomerium can secure Kubernetes API access, allowing you to tie kubectl usage directly to your IdP.

How it works:

1. Pomerium route: Define a secure route to the Kubernetes API server.

2. Impersonation: Pomerium authenticates the user and impersonates them to the API server using a Kubernetes service account.

3. Policy enforcement: Kubernetes RBAC sees the request as coming from the real user and applies permissions accordingly.

4. Developer login: The pomerium-cli tool integrates with kubectl to fetch credentials via browser-based SSO.

From a developer's perspective, it's seamless. They run kubectl, authenticate once through the browser, and go.

No static tokens. No VPN.

Fits into Any Stack

Whether you're running a service mesh, using the Gateway API, or sticking with standard Ingress, Pomerium adapts:

• Gateway API: Pomerium supports experimental Gateway resources and PolicyFilter CRDs

• Service mesh: Combine Pomerium for authentication with Istio or Linkerd for mTLS and east-west traffic

• Forward auth: Prefer to keep NGINX? Use Pomerium in forward-auth mode

Wherever and however you run Kubernetes, Pomerium helps enforce identity-first access.

The Benefits of Zero Trust with Pomerium

Continuous verification
Every request is evaluated—not just at login.

Least privilege by design
Access is defined per user, per service, per action.

Built-in audit
Every request is logged with identity and outcome.

Instant revocation
Disable a user in your IdP and access is revoked cluster-wide.

Developer-friendly
No VPNs or token management. Just sign in and go.

Achieve Zero Trust With Pomerium

With Pomerium, Zero Trust in Kubernetes is operational.

• Identity becomes the new perimeter

• Services and kubectl are protected by policy

• Every action is verified, auditable, and scoped

If your infrastructure spans clouds, clusters, or teams, it’s time to modernize access. Pomerium gives you Zero Trust control that fits Kubernetes and scales with your stack.

Start treating access as a security boundary. Let Pomerium enforce it.

👉 Explore the docs
👉 Try the Kubernetes Ingress Controller
👉 Secure your Kubernetes API server