惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Hugging Face - Blog
Hugging Face - Blog
C
Cybersecurity and Infrastructure Security Agency CISA
G
Google Developers Blog
The Cloudflare Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
The GitHub Blog
The GitHub Blog
TaoSecurity Blog
TaoSecurity Blog
V
Visual Studio Blog
D
DataBreaches.Net
人人都是产品经理
人人都是产品经理
博客园 - Franky
S
Security @ Cisco Blogs
Hacker News - Newest:
Hacker News - Newest: "LLM"
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
C
Cyber Attacks, Cyber Crime and Cyber Security
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
H
Hackread – Cybersecurity News, Data Breaches, AI and More
腾讯CDC
T
Troy Hunt's Blog
B
Blog RSS Feed
A
About on SuperTechFans
IT之家
IT之家
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
J
Java Code Geeks
S
Securelist
T
Threatpost
SecWiki News
SecWiki News
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Y
Y Combinator Blog
Blog — PlanetScale
Blog — PlanetScale
aimingoo的专栏
aimingoo的专栏
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Forbes - Security
Forbes - Security
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
D
Docker
N
News and Events Feed by Topic
Schneier on Security
Schneier on Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
月光博客
月光博客
C
CXSECURITY Database RSS Feed - CXSecurity.com
罗磊的独立博客
H
Hacker News: Front Page
N
News and Events Feed by Topic
N
Netflix TechBlog - Medium
AWS News Blog
AWS News Blog
P
Privacy International News Feed
Scott Helme
Scott Helme
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
V
Vulnerabilities – Threatpost
The Register - Security
The Register - Security

NetBird - Networking Knowledge Hub - RSS Feed

NetBird Is Now on the Vultr Marketplace Native NetBird on the GL.iNet Comet Pro (GL-RM10) NetBird v0.71 - IPv6 Overlay Addressing NetBird Exit Nodes - Appear at Home, or Anywhere Else Reporting Bugs and Requesting Features in NetBird Setup and Use Local AdGuard Home Anywhere with NetBird DNS How to Set Up NetBird on PiKVM for Secure Remote KVM Access NetBird v0.69 - CrowdSec IP Reputation for the Reverse Proxy Cloudflare Mesh vs NetBird vs Tailscale: Performance Compared Self-Hosting Nextcloud with Docker and NetBird Implementing Zero Trust with NetBird NetBird v0.67 - Layer 4 Proxy Support for TCP, UDP, and TLS Solwr Enhances Remote Connectivity with NetBird Self-Hosting NetBird with Authentik Jellyfin Media Server - Self-Host Your Movies, TV, and Music Cloudflare Tunnels vs. NetBird Reverse Proxy INFITX Builds Zero-Touch Kubernetes Networking with NetBird NetBird v0.66 - Expose Local Services to the Internet from the CLI Pangolin vs. NetBird Home Assistant Setup Guide with EASY Remote Access NetBird v0.65 - Built-in Reverse Proxy with Custom Domains Docker for Beginners - Everything You Need to Get Started NetBird for SOC 2 Compliance NetBird v0.63 - Custom DNS Zones for Private Network Resolution Vibecode This in a Weekend and Take 5% of the Company NetBird v0.62 - Built-in Local Users with Optional IdP Integration NetBird v0.61.0 - Granular SSH Access Control and Automatic Updates Top 5 Alternatives to OpenVPN Top 5 Open Source Alternatives to Tailscale Top 5 Alternatives to ZeroTier How to Set Up ZeroByte and REST Server for Backups with NetBird How to Install n8n v2.0 with NPM and PM2 ZeroTier vs. NetBird The Ultimate Immich Guide - Ditch Google and Amazon Photos for Good NetBird as Your Help with ISO 27001 Compliance NetBird and Huntress - Secure Network Access for MSPs How to Access Windows Shares from Anywhere with NetBird netgo Relies on Modern ZTNA with NetBird Connect to Your Homelab from Anywhere with a Raspberry Pi NetBird SSH - A New, Identity-Aware Approach The AI Mega Mesh: How to Connect 30+ GPU Cloud Providers Connect Multiple Ollama GPUs to OpenWebUI with NetBird Top 5 Tailscale Alternatives SSH and RDP, now in your browser NetBird–Acronis Integration: Empowering MSPs for Advanced Ransomware and Threat Defense Introducing the Control Center - Remote Access, Beautifully Visualized NetBird at MSP Global 2025 Understanding Overlay Networks - The Basics NetBird and SentinelOne Singularity™ - Automate Threat Response NetBird and Microsoft Intune - Enforcing Device Compliance for Zero Trust Rethinking Zero Trust Security with NetBird and pfSense Improving Unidirectional Access Control Proxmox VE for Beginners Guide with NetBird LXC Stronger Security: NetBird + GitHub Secure Open Source Fund NetBird's MSP Partner Program Signicat Enhances Cross-Cloud Accessibility with NetBird SonicWall SSL VPN NetExtender vs. NetBird NetBird Is Embracing the AGPLv3 License NetBird Profiles Have Landed - Manage Multiple Accounts Effortlessly Rethinking Access Control to Secure Your On-Premises SharePoint Servers Sport Alliance Increases Efficiency with Zero Trust Networking at Scale Rethinking Network Access: qwertiko Goes Zero Trust with NetBird Optimizing Network Efficiency with NetBird's Lazy Connections Use Port Ranges in Access Control Policies Generic HTTP Endpoint for Network Events Streaming NetBird’s Response to Spear-Phishing Campaign Targeting Financial Executives Zero-Trust Access to Internal Resources Without Installing Agents Enhance Network Visibility with NetBird’s Traffic Events Logging TrueNAS Made Easy - Install, Set Up, and Access From Anywhere Top 5 Alternatives for WireGuard Jump Hosts. Gateways for Remote Access NetBird Network Routes and Exit Nodes Security for All - SSO and MFA for Free Enhancing Network Access Control with NetBird's Identity Provider Feature Twingate vs. NetBird Limit Network Access Based on Running Applications FortiClient ZTNA vs. NetBird OpenVPN vs. NetBird Tailscale vs. NetBird Getting Started with an Azure Site-to-Site VPN Getting Started with an On-premise-to-AWS Site-to-Site VPN Secure Remote Access to VPCs, LANs, and Offices regreSSHion - A New OpenSSH Server Remote Code Execution Vulnerability Evolve Bank & Trust Data Breach. What Happened? What Is a Site-to-Site VPN? IPSec Tunneling Demystified. Enhancing Data Security Across Networks Understanding IPSec Tunnel and Transport Modes Understanding the Differences Between IKEv1 and IKEv2 Understanding the IKEv1 Protocol in IPSec ZeroTier versus NetBird - Which Should You Choose? AWS Lambda Serverless Security. Mistakes, Oversights, and Potential Vulnerabilities Serverless Security Vulnerabilities and Best Practices to Mitigate Them Security Best Practices for Serverless Azure Functions A Guide to Remote Access Security for SMEs IoT Security Essentials. How to Achieve Secure Remote Access Open Source Zero Trust Networking Using SSH for Secure Remote Access How We Integrated Rosenpass in NetBird The First Quantum-Resistant Mesh VPN Using eBPF and XDP to Share Default DNS Port Between Multiple Resolvers
Using NetBird for Kubernetes Access
Written byKumar Harsh · 2024-04-29 · via NetBird - Networking Knowledge Hub - RSS Feed

Securing access to your Kubernetes clusters is crucial as inadequate security measures can lead to unauthorized access and potential data breaches. However, navigating the complexities of Kubernetes access security, especially when setting up strong authentication, authorization, and network policies, can be challenging.

NetBird simplifies Kubernetes access with its zero-configuration approach, leveraging WireGuard's simplicity and strength. It seamlessly integrates with various tools, offering transparency and high reliability as an open source solution.

In this article, you'll learn how to set up the NetBird CLI to ensure a secure connection to a Kubernetes cluster on the Google Cloud Platform (GCP) , complete with a fail-safe route for uninterrupted access.

Using NetBird for Kubernetes Access

In this tutorial, you'll follow these steps to enable secure access to your Kubernetes cluster using NetBird:

  • Set up a NetBird agent on your local machine.
  • Create NetBird setup keys to be used in the Kubernetes cluster.
  • Set up a remote Kubernetes cluster. For this tutorial, Google Kubernetes Engine (GKE) was chosen; however, feel free to use any remote Kubernetes cluster.
  • Deploy the setup key in the remote Kubernetes cluster.
  • Configure a highly available (HA) network route in NetBird for uninterrupted access to the Kubernetes cluster.
  • Test secure access from the local client to the remote Kubernetes cluster.

Please note that to follow this tutorial, you need and command line tools installed and properly configured on your local machine.

With the procedure outlined, let's get started.

Set Up the NetBird Agent

If you haven't already, sign up for a free NetBird account . After confirming your email, you'll receive a message with instructions on how to install the NetBird agent on your local machine. This agent includes NetBird's CLI, which is used to control it.

NetBird client setup instructions

Follow the instructions for your operating system and finish by authorizing the NetBird app to access the NetBird dashboard using the command :

Authorize the NetBird app

You should see your local machine in the Peers dashboard, which means that it's now connected to the NetBird peer-to-peer (P2P) network:

Peers: local machine

Create Setup Keys

Now that you're connected to the network, it's time to add a Kubernetes cluster to this network. To do that, you need to create a setup key that your Kubernetes cluster can use to authenticate with NetBird.

Click on the Setup Keys tab on the left-hand side of your screen and then click on the Create Setup Key button:

Creating a setup key

A pop-up window opens where you can name the key, set the maximum number of peers that can use it, and determine its expiration date. Additionally, you can also select auto-assigned groups . With this option, any peer that registers with the key will be automatically added to these groups, meaning that the access control rules set for these groups will automatically apply to them. Set it to , it will help you to avoid adding each peer to the group manually later in the tutorial.

You'll also see two toggle switches there: one for making the key reusable and another to mark a peer as ephemeral . Reusable setup keys are useful when there is no human behind a machine that can use SSO and MFA, e.g., to associate servers with a NetBird account , so they can authenticate to the network automatically. On the other hand, ephemeral keys automatically remove machines from NetBird if they are offline for more than 10 minutes. This feature helps prevent offline machines from cluttering the NetBird peer dashboard, such as when a Kubernetes pod gets replaced by a new one.

The following screenshot shows the creation of an ephemeral key:

Ephemeral setup key

Likewise, this screenshot shows how to create a reusable key:

Reusable setup key

Given the reasons mentioned earlier, using ephemeral keys for this tutorial is recommended. This is because Kubernetes might restart services, causing machines to go offline.

Set Up a Remote Kubernetes Cluster

To ensure a highly available network route with NetBird, there are some considerations to keep in mind when deploying the GKE cluster:

  • You should create, at a bare minimum, a regional cluster or a multizonal cluster with nodes distributed across multiple zones within a region to ensure that the cluster is resilient to zonal failures.
  • You need to deploy at least three nodes to ensure high availability.
  • You are highly recommended to enable cluster autoscaling to ensure that there are always at least three nodes running.

You can use the Google Cloud console UI to set up a Kubernetes cluster like the one described earlier, or you can adapt this command to fit your needs:


Replace with the ID of your project. Additionally, replace the region and the zones , , and according to your preferences.

If you want to create a cluster with a specific version, use the flag to match the latest available version in your region.

Pay attention to the instance type configuration. In this case, guarantees NetBird has sufficient CPU and memory resources. is set to since it deploys one node per zone (three nodes in total), and the flag is set to allow a maximum of two nodes per zone or a maximum of six nodes in total.

Once the cluster is deployed, log in to the Google Cloud console and check that everything is working as expected (cluster status is and status of the nodes' is ):

GKE cluster in the Google Cloud console

You can also verify the nodes using from your local machine:


With the GKE cluster up and running, it's time to add the NetBird ephemeral key.

Add the NetBird Ephemeral Setup Key to the Kubernetes Cluster

To register your Kubernetes cluster to the NetBird secure P2P network, create a YAML file on your local machine called and paste the following content in it:


Let's break down the key arguments of this deployment:

  • ensures that at least one replica is deployed per node and is necessary to secure HA.
  • uses the latest available image. For production, it's best practice to use a specific version to avoid conflicts during updates.
  • The parameter ensures that NetBird has a minimum guaranteed amount of resources to run properly. It's best practice to assign requests and/or limits to any app or service running on your cluster, which includes the NetBird client.
  • is required since, generally, modifying the routing table requires permissions.

Remember to replace with the previously created ephemeral setup key. Once you're ready, add the ephemeral key to the cluster by running the following command:


You can check the status of the deployment using :


At this point, if you go to the NetBird Peers tab, you should see the GKE nodes:

GKE Peers view

With your local machine and GKE nodes now part of the NetBird P2P network, you're ready to establish a secure HA network route for communication.

Set Up an HA Network Route in NetBird

Simply having all GKE nodes on the same peer-to-peer network doesn't guarantee accessibility. For instance, if you attempt to ping a node, you'll receive a "request timeout…" message. This happens because you need to set up a network route and define an access policy before you can connect to the nodes.

To facilitate the process of creating network routes and access policies , NetBird lets you create peer groups. Do you remember that you created and assigned the group to the GKE nodes when you created the ephemeral key? If you haven't done this then, you can create and assign the group manually to the peers now.

To do so, click on the first GKE node in the Peers view. This takes you to a screen with the peer details. On the right side, you should see Assigned Groups:

Assigned Groups

Start typing a name (ie ) to create a new group. After you've entered the name, click Save Changes to apply the new configuration:

Create a new group

Repeat the procedure for the remaining two GKE nodes; remember to choose the same group and save the changes.

Once finished, hover the mouse pointer over the GROUPS column on any of the nodes to verify that they belong to the desired group:

Peers added to a group

Similarly, to simplify setting a route, you can assign a group to your local machine, such as :

Local machine group

With the peer groups ready, it's time to move to the Network Routes tab, which you can find on the left-hand side of your screen:

Network routes

Before setting up your first network route, you need to determine which network you wish to connect with. For instance, if you want to access pods and services in your Kubernetes cluster, you'll need the GKE cluster Pod IPv4 and IPv4 service ranges. To find these, navigate to the Networking section in the Google Cloud console:

Google console Networking

Click on the Add Route button, and a pop-up opens, allowing you to create a new route.

Input the Network Range, then click on Peer Group and choose gke-cluster (or the group you've established for your nodes). Under Distribution Groups, pick the group you just created to make this route known to your local machine:

Create network route

In the Name & Description tab, provide a name (network identifier) for the route and click Add Route to finalize its creation:

Naming a network route

Following is an example of two networks: one for the GKE pods and another for the GKE services. Note that the HIGH AVAILABILITY column shows 3 Peer(s) in green to indicate that it is a highly available route:

Network routes view

While these routes create a link between your local machine and the GKE cluster, you still need one more component to enable communication: an access control policy (ACP).

Set Up an Access Control Policy to Access Your Kubernetes Cluster

To create an ACP, go to Access Control > Policies and click on Add Policy. A pop-up appears where you can define a new ACP. Select the group as Source and the group as Destination. This allows bidirectional communication between both peers:

New ACP

Configuring security posture checks is beyond the scope of this guide, but in a nutshell, the Posture Checks tab lets you enhance access control by blocking peers that fail to meet certain conditions, such as client version, country of origin, and operating system. If you are interested in this and other Zero Trust Security features, check the Open-Source Zero Trust Networking Guide .

To create the new policy, go to the Name & Description tab and enter an appropriate name for the rule (eg Local to GKE):

Name new ACP

To finish setting up the new ACP, select Add Policy.

The following are two example policies: Local to GKE and the NetBird Default policy. In this example, the default policy has been turned off, so there's only Local to GKE active:

ACP view

Congratulations! You just configured secure access to Kubernetes using NetBird P2P. To check the connection, navigate to the Peers tab and take note of the IP address or domain assigned by NetBird to any of the nodes.

The following image shows the response when pinging one of the GKE nodes:


Conclusion

In this tutorial, you installed the NetBird CLI, configured a Kubernetes cluster on GCP, integrated a NetBird ephemeral key, created a high-availability route, and set an access control policy for secure local access.

Take your network management to the next level—explore more features and enhance your setup with the NetBird cutting-edge peer-to-peer network .