Skip to content

Feature Request: Allow Running Contextual Commands (e.g., kubectl) or direct access to k8s #1551

New issue
New issue
Open
Open
Feature Request: Allow Running Contextual Commands (e.g., kubectl) or direct access to k8s#1551
@senolcolak

Description

@senolcolak
senolcolak
opened on Oct 30, 2025

The idea..

Allow Warpgate to execute predefined shell commands immediately after user authentication.
This would make it possible to integrate tools like kubectl or radosgw-admin in controlled environments, extending Warpgate’s use beyond plain SSH/database access. Or basically give the opportunity to run direct k8s cli commands.

Motivation

We use Warpgate as a bastion to manage access to various systems, including Rook-Ceph clusters running inside Kubernetes.
We’d like to grant RBAC-based users the ability to connect via SSH and automatically gain access to the corresponding Kubernetes context. i.e via loading a kubeconfig or executing a kubectl command.

Currently, this isn’t possible without giving users direct K8s access credentials outside of Warpgate.

Proposed Solution

option.1

run-remote-command
Add target or role based configuration option such as run_after_login that defines commands to execute after authentication but before opening the user’s shell.

Example:

[[targets]]
name = "rook-prod"
type = "ssh"
host = "bastion.example.com"
run_after_login = [
  "export KUBECONFIG=/etc/warpgate/configs/rook-prod.yaml",
  "kubectl get pods -n rook-ceph"
]
allowed_roles = ["rook-ops"]

- or -

option.2

k8s-native-integration
Warpgate maintains a Kubernetes config and can:

  • Run kubectl commands directly (through internal execution or via a proxy SSH server)
  • Dynamically create ephemeral pods for session purposes (e.g., toolbox, diagnostic, i.e. ceph-tools pods)
  • Use existing Warpgate RBAC definitions to map access rights
  • Allow external YAML configuration for flexibility
  • Cache the kubectl binary and kubeconfig if no jump host is used
  • If a jump host is used, Warpgate only provides the configuration context
  • Optionally, query a KMS or secret management system for credentials
    This would enable a seamless bridge between SSH bastion functionality and Kubernetes-native access, controlled through the same RBAC layer.

Benefits

  • Enables secure, role-based access to Kubernetes/Rook-Ceph environments.
  • This function can also be used for any other purpose via changing the kubectl commands.
  • Keeps credentials centralized within Warpgate.
  • Maintains agentless, non k8s solution

Security

  • Commands should run under restricted user context and be included in session logs for full auditability.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions