# Kubernetes
## Overview
KeeperPAM enabled zero-trust privileged session management for Kubernetes containers using Kubernetes' REST API. This guide shows how to configure Kubernetes connections on your PAM Machine Records in the Keeper Vault. Secure Kubernetes sessions are established from the Vault, through the Keeper Gateway, and directly to the target container.
## Prerequisites
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's [getting-started](https://docs.keeper.io/en/keeperpam/privileged-access-manager/connections/getting-started "mention") page.
The following PAM records are needed in order to successfully setup this protocol:
| PAM Record | Definition |
| --------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
| [pam-configuration](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-configuration "mention") | The PAM Configuration contains information of your target infrastructure |
| [pam-machine](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-machine "mention") Record | The PAM Machine record contains information of the endpoint you want to establish a Kubernetes REST API connection to. |
| [pam-user](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-user "mention") Record | The PAM User record contains the user credentials that will be used to connect to the endpoint |
## PAM Settings - Configuring Kubernetes Protocol
### Accessing Connection Settings
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
1. Editing the PAM Record
2. Clicking on "Set Up" in the PAM Settings section
3. Navigate to the "Connection" section in the prompted window
### Configuring Connection Settings
Prior to configuring the Kubernetes protocol settings on the PAM Settings screen, the following fields are all **required** and need to be configured:
| Field | Description |
|---|
| PAM Configuration | This is the PAM Configuration that contains the details of your target infrastructure and provides access to the target configured on the PAM Record. |
| Administrative Credential Record | This is the linked PAM User that will be used to authenticate to the target and perform administrative operations on it. |
The following table lists all the configurable connection settings for the Kubernetes protocol on the PAM Settings:
| Field | Definition |
| -------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Protocol | Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the Kubernetes protocol should be selected
|
| Enable Connection | Required
To enable connection for this record, this toggle needs to be enabled
|
| Graphical Session Recording | When enabled, graphical session recordings will be enabled for this record |
| Text Session Recording (Typescript) | When enabled, text session recordings (typescript) will be enabled for this record |
| Include Key Events | |
| Connection Port | The port used to establish the selected protocol connection. By default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port.
For Kubernetes, the port is 8080.
|
| Launch Credentials | When configured, these credentials will be used to authenticate the connection. More details [here](#connection-authentication-methods) |
| Allow users to select credentials from their vault | When enabled, allow users to use their own personal/private credentials to authenticate the connection. More details [here](#connection-authentication-methods) |
| Rotate launch credentials upon session termination | When enabled, the configured launch credentials will be automatically rotated when the session is closed |
| Namespace | The name of the Kubernetes namespace of the pod containing the container being attached to. If omitted, the namespace "default" will be used. |
| Pod Name | The name of the Kubernetes pod with the container being attached to. |
| Container Name | The name of the container to attach to. If omitted, the first container in the pod will be used. |
| Ignore Server Certificate | If checked, the validity of the SSL/TLS certificate used by the Kubernetes server will be ignored if it cannot be validated. By default, SSL/TLS certificates are validated. |
| Certificate Authority Certificate | The certificate of the certificate authority that signed the certificate of the Kubernetes server, in PEM format. If omitted, verification of the Kubernetes server certificate will use only [system-wide certificate authorities.](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-shared-system-certificates) |
| Client Certificate | The certificate to use if performing SSL/TLS client authentication to authenticate with the Kubernetes server, in PEM format. If omitted, SSL client authentication will not be performed. |
| Client Key | The key to use if performing SSL/TLS client authentication to authenticate with the Kubernetes server, in PEM format. If omitted, SSL client authentication will not be performed. |
| Color Scheme | The color scheme to use for the terminal emulator used by Kubernetes connections. Each color scheme dictates the default foreground and background color of the terminal. Programs which specify colors when printing text will override these defaults. |
| Font Size | The size of the font to use, in points. By default, the size of rendered text will be 12 point. |
| Maximum scrollback size | The maximum number of rows to allow within the terminal scrollback buffer. By default, the scrollback buffer will be limited to a maximum of 1000 rows. |
| Read-only | Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will be able to see the terminal (or the application running within the terminal) but will be unable to interact. |
## Connection Authentication Methods
Keeper Connections can be authenticated using one of the following methods:
* [**Launch Credential**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/authentication-methods#launch-credential)\
The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.
* [**Personal/Private Credential**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/authentication-methods#personal-private-credentials)\
When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.
* [**Ephemeral Accounts**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/authentication-methods#ephemeral-account)\
When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for [Just-In-Time access](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/just-in-time-access-jit) with no persistent account on the target system.
## Session Recordings - Kubernetes Protocol
For this protocol, both graphical and the full, raw text text content of terminal sessions, including timing information, are recorded. For more information on recordings and how to access these recordings, visit this [page](https://docs.keeper.io/en/keeperpam/privileged-access-manager/session-recording-and-playback).
* Learn more about [Session Recording and Playback](https://docs.keeper.io/en/keeperpam/privileged-access-manager/session-recording-and-playback)
## Connection Template
The PAM record type with your target system can also be configured as a Connection template. These templates serve as reusable record types for launching sessions to target systems without needing to predefine a specific hostname or credential. For more information, visit the following:
{% content-ref url="../connection-templates" %}
[connection-templates](https://docs.keeper.io/en/keeperpam/privileged-access-manager/connections/connection-templates)
{% endcontent-ref %}