warpgate icon indicating copy to clipboard operation
warpgate copied to clipboard
verified publisher icon warp-tech

Feature Request: Allow Running Contextual Commands (e.g., kubectl) or direct access to k8s

Open senolcolak opened this issue 1 month ago • 0 comments

The idea..

Allow Warpgate to execute predefined shell commands immediately after user authentication. This would make it possible to integrate tools like kubectl or radosgw-admin in controlled environments, extending Warpgate’s use beyond plain SSH/database access. Or basically give the opportunity to run direct k8s cli commands.

Motivation

We use Warpgate as a bastion to manage access to various systems, including Rook-Ceph clusters running inside Kubernetes. We’d like to grant RBAC-based users the ability to connect via SSH and automatically gain access to the corresponding Kubernetes context. i.e via loading a kubeconfig or executing a kubectl command.

Currently, this isn’t possible without giving users direct K8s access credentials outside of Warpgate.

Proposed Solution

option.1

run-remote-command Add target or role based configuration option such as run_after_login that defines commands to execute after authentication but before opening the user’s shell.

Example:

[[targets]]
name = "rook-prod"
type = "ssh"
host = "bastion.example.com"
run_after_login = [
  "export KUBECONFIG=/etc/warpgate/configs/rook-prod.yaml",
  "kubectl get pods -n rook-ceph"
]
allowed_roles = ["rook-ops"]

- or -

option.2

k8s-native-integration Warpgate maintains a Kubernetes config and can:

  • Run kubectl commands directly (through internal execution or via a proxy SSH server)
  • Dynamically create ephemeral pods for session purposes (e.g., toolbox, diagnostic, i.e. ceph-tools pods)
  • Use existing Warpgate RBAC definitions to map access rights
  • Allow external YAML configuration for flexibility
  • Cache the kubectl binary and kubeconfig if no jump host is used
  • If a jump host is used, Warpgate only provides the configuration context
  • Optionally, query a KMS or secret management system for credentials This would enable a seamless bridge between SSH bastion functionality and Kubernetes-native access, controlled through the same RBAC layer.

Benefits

  • Enables secure, role-based access to Kubernetes/Rook-Ceph environments.
  • This function can also be used for any other purpose via changing the kubectl commands.
  • Keeps credentials centralized within Warpgate.
  • Maintains agentless, non k8s solution

Security

  • Commands should run under restricted user context and be included in session logs for full auditability.

senolcolak avatar Oct 30 '25 10:10 senolcolak