Hardening access to kubectl

Hi all, could you recommend some solution for hardening access to kubectl (k8s API)? I am trying to configure Cloudflare Zero Trust tunnel and it is not the easiest path to take. I mean something VPN-like…Thanks!

Maybe firewall with whitelist will do?

And you could have some ssh access to remote server somewhere, which ip will be whitelisted.

You mean connecting through bastion host?

There you will have more control

And have audit history logs

Port-forwarding can be configured to GUI uses

And i can suggest another security method

It is old, but still good, it is called port-knocking

You can check this https://kilo.squat.ai/docs/kgctl

Should be working on top of WireGuard vpn

But i can be wrong, you need to research it yourself

Scaleway provider is using kilo as a base in their Kubernetes Kosmos product.