Before you begin

• Choose a Kubernetes cluster to install P0 on. If you have multiple clusters repeat the installation steps for each.

• Make sure the Kubernetes cluster is allowed to pull images from DockerHub. You can easily verify by deploying the nginx image from DockerHub.

kubectl run nginx --image=nginx --labels="app.kubernetes.io/name=docker-accessibility-test" --restart=Never
kubectl wait --for=condition=ready pod -l "app.kubernetes.io/name=docker-accessibility-test" --timeout=30s
kubectl delete pod nginx

• cluster-admin access to Kubernetes. If you are not a cluster admin, make sure you have the ability to create a namespace, service, deployment, service account, secret, and webhook configuration. You can use the following commands to verify prior to install:

kubectl auth can-i create namespaces
kubectl auth can-i create services
kubectl auth can-i create deployments
kubectl auth can-i create serviceaccounts
kubectl auth can-i create secrets
kubectl auth can-i create ValidatingWebhookConfiguration

Setting up Kubernetes

The setup has three steps:

1. Kubernetes client configuration

2. Connectivity configuration - skip if the cluster has a public endpoint

3. Permission boundary

Client configuration

Navigate to "Integrations" on p0.app, then select "Kubernetes".

"User provisioning" tells P0 how to add users in the cluster.

1. If you use an OIDC integration, or Azure AD, or GKE, or any other authentication method that verifies the email of the user, and this email matches the users' Slack email, use the "Default (Slack)" option.

2. If you are installing on an EKS cluster, P0 needs to look up the user ARNs to create a mapping in the aws-auth ConfigMap. Select one of the AWS accounts you have already configured with P0. See the AWS integration docs on how to add one.

"Cluster ID" is your identifier for the cluster, which is unique and will be displayed in access requests. Approvers should understand which cluster is being requested based on this ID.

"Server address" is the private endpoint for private clusters, and the public endpoint for clusters that P0 can connect to over the public internet.

"Certificate authority" is the certificate authority of the Kubernetes cluster that P0 (or the proxy - see below) needs to trust to communicate over TLS. Enter the value in raw pem or base64-encoded pem format.

Click "Go to next step" to validate inputs and proceed to the next step.

Connectivity configuration

P0 uses the reverse proxy braekhus to connect to clusters that are not accessible over the public internet.

The deployment location of the proxy must satisfy the following two conditions:

1. The proxy needs to access P0 over the public internet, but only in the egress direction. It is suitable for deploying behind a firewall that blocks incoming but allows outgoing traffic. The proxy establishes a websocket tunnel with P0.

2. The proxy needs access to the Kubernetes cluster. P0 then sends messages over the websocket tunnel to the proxy, which forwards them to the Kubernetes cluster. The parameters entered in the previous "Client configuration" step are used by the proxy.

P0 provides the following out-of-the-box options for deployment location:

• VMs: run the proxy directly inside a virtual machine. The cluster should be reachable from this VM at the "Server address" provided in the previous step.

• AWS Fargate: run the proxy as an ECS Service that is deployed in the same VPC as the Kubernetes cluster. Make sure that the security group rules allow the ECS Service to call the "Server address" provided in the previous step.

The proxy authenticates with a JSON Web Key against P0 cloud services. Provide the public key generated by the proxy and click "Go to next step".

Permission boundary

Sets up Kubernetes artifacts that allow P0 to grant access to users.

• p0-service-account and p0-service-account-secret. The secret is used as a long-lived token to authenticate P0.

• p0-service-role A cluster role bound to the above service account. It allows:

  • Listing resources in order to support typeahead when users request. To control what resources can be requested check Request Routing rules.

  • Creating and deleting Roles and RoleBindings on the cluster and namespace level in order to provision and de-provision access.

• p0-admission-controller service, deployment, and validating webhook configuration implement the permission boundary security feature. The boundary prevents the P0 service account from escalating its own permissions. The application code is in the p0-k8s-admission-controller GitHub repository.

Run the command and provide the generated service account secret. Upon clicking "Go to next step" P0 verifies that the installation is correct.