Use Case

Kubernetes Security

Context-aware access to your Kubernetes API, kubectl, and upstream apps. No VPNs. No agents. No shared secrets.

Scoped Kubernetes Access That Doesn’t Slow Down Engineering

Kubernetes is powerful, but its default security posture creates gaps for organizations. Pomerium provides:

Centralized access control across cloud providers so you don’t have to secure your APIs differently across multi-infrastructure
Consistent authentication so you don’t rely on static tokens or kubeconfigs that result in hard-to-manage access controls
Easier auditing by tracking user and service actions with centralized logging and context-aware access

Pomerium addresses these challenges with a unified, identity-aware access layer that integrates seamlessly into your existing infrastructure. 

It’s Zero Trust that’s self-hosted, policy-driven, and ready today.

Secure Kubernetes Ingress With Context-Aware Access

Traditional ingress controllers focus on routing traffic but lack robust access controls. Pomerium's Ingress Controller, built atop Envoy, introduces:

Per-Request Authentication

Integrates with your identity provider (e.g., Okta, Google, Azure AD) to authenticate users on each request.

Context-Aware Authorization

Enforces fine-grained access control policies based on user identity, group membership, and other contextual factors.

Mutual TLS (mTLS) Support

Ensures encrypted communication between clients and services.

This approach eliminates the need for VPNs or additional client software, and co-exists with existing solutions to provide secure, clientless access to your services.

Securing Kubernetes-Hosted Applications Without Developer Overhead

Embedding authentication logic into each application breaks at scale. Pomerium abstracts this by acting as a centralized policy decision and enforcement point:

No Code Change Required

Applications remain unaware of authentication mechanisms, simplifying development.

Centralized Policy Management

Define and manage access policies in one place, reducing configuration drift.

Audit Logging

Capture detailed logs of user access for compliance and troubleshooting.

This ensures consistent security across all services, regardless of the underlying application stack.

Securing Access to Kubernetes Dashboard and kubectl

Distributing kubeconfigs or static tokens poses significant security risks. Pomerium offers a more secure alternative:

Single Sign-On (SSO)

Authenticate users through your existing identity provider without long-lived kubeconfigs or credential sharing.

Fine-Grained Access Controls

Enforce precise permissions using Pomerium’s policy engine and define access down to the user, group, or resource with context-aware policies.

Pomerium CLI & Secure Tunnels

Use the Pomerium CLI to establish secure, authenticated sessions to kubectl or internal Kubernetes services without exposing control plane endpoints. Supports short-lived access, audit visibility, and integrates with existing workflows.

Pomerium helps reduce the attack surface and simplifies access management for administrators.

Why Pomerium For Secure Kubernetes Access

Pomerium operates as a reverse proxy, intercepting requests and enforcing access policies:

User Request

A user attempts to access a Kubernetes service

Authentication

Pomerium redirects the user to the configured identity provider for authentication

Authorization

Upon successful authentication, Pomerium evaluates every request against defined policies.

Proxying

If authorized, the request is proxied to the target service, otherwise, access is denied.

This flow ensures that only authenticated and authorized users can access your Kubernetes resources.

Products

Use Cases

Resources

Featured Resources

Announcing Pomerium v0.29.0

Network-centric vs Application-centric Approach

Docs

Get Involved

Kubernetes Security

Scoped Kubernetes Access That Doesn’t Slow Down Engineering