Kubernetes Access Management Doesn't Have to Suck
Eran Kampf
•
Nov 24, 2025
We just shipped Twingate Identity Firewall. It's a security product. Enterprise-grade access controls, comprehensive audit trails, identity propagation - all the things your CISO wants to hear about.
But here's what I'm really excited about: I would use Twingate Identity Firewall just because it makes my life easier.
Let me explain.
The Problem Nobody Puts in the Product Requirements Document
I've been managing Kubernetes infrastructure for years, and I'm here to tell you something controversial: the worst part of Kubernetes isn't the complexity of the platform itself, it's the soul-crushing tedium of managing access to it.
You know the drill. New SRE joins. You need to get them connected to your clusters. So you open the cloud provider console, find the cluster, copy the connection command, paste it into Slack.
Then you do it again for the next cluster.
And the next one.
And the next one.
If you're running multiple environments across multiple regions and multiple cloud providers, this becomes a significant chunk of someone's first day.
We’re heavy Kubernetes users here at Twingate, so for us that means anywhere from 50-70 clusters across multiple cloud providers.
It's not hard work. It's just tedious, error-prone work that nobody wants to do.
But here's the thing: it's not just an onboarding problem.
The Ongoing Tax
Scenario: The Ephemeral Cluster
You spin up a temporary cluster for load testing. You need to give a bunch of engineers access for the week. That's a Slack thread full of "can you send me the connection string again?" messages.
Then you tear down the cluster. What happens to everyone's local kubeconfig files? Those entries stay there. Forever. Or until someone manually cleans them up. Which they won't, because they're busy actually building things.
Scenario: The Migration
You need to recreate clusters with new configurations. Now everyone needs to update their local configs. You send a Slack message. Some people update immediately. Others discover weeks later that, when their deployments mysteriously fail, they're pointing at a cluster that no longer exists.
You send reminder messages. People still miss them.
Scenario: The Access Audit
Someone asks: "Who has access to the production cluster?" Do you... check the cloud provider IAM? Hope that everyone who has credentials hasn't shared them? Try to remember everyone you've sent connection commands to over Slack?
It's not a great answer.
What I Actually Wanted
I wanted Kubernetes access to work like everything else in our modern stack:
Identity-based: Your access should be tied to who you are, not what credentials you have cached in a file somewhere
Group-driven: Add someone to the "backend-team" group, they get access to the relevant clusters. Remove them, access disappears
Self-maintaining: When clusters come and go, everyone's configuration should update automatically
Actually auditable: I should be able to answer "who accessed this cluster?" without archaeological log diving
Basically, I wanted Kubernetes access to work like our SaaS apps work. Is that too much to ask?
Twingate Identity Firewall
When we built Identity Firewall for Kubernetes, the headline features were the security ones. And yes, those matter: identity propagation, session recording, comprehensive audit logs, all that good stuff.
In order to build those security features, we needed to ensure that cluster access always reflected current group membership, that credentials were always fresh, and that the Twingate Gateway could maintain its audit trail.
Meeting those requirements delivered the added benefit of automatic cluster syncing.
For Onboarding
Add someone to the appropriate group. They sync via the Twingate Client. All their clusters appear automatically. They start working.
Their first day involves writing code, not copying commands for hours.
For Cluster Lifecycle Management
Spin up new clusters? They automatically appear for everyone who should have access. Zero announcements necessary. Zero setup documentation to maintain.
Decommission old clusters? They automatically disappear from everyone's configs. No cleanup. No zombie entries. No "why can't I connect?" support tickets.
For Day-to-Day Work
No more "which cluster am I connected to?" confusion. No more stale configurations causing mysterious failures. No more Slack threads hunting for connection strings.
Just: run kubectl. It works.
Making the Secure Path the Easy Path
Here's what really matters: we made the secure thing the easy thing.
People weren't fighting with kubeconfig files anymore. They weren't asking for help connecting to clusters. They were just... working.
That's the biggest win for me. Not that we checked the security compliance boxes (though we did). Not that we can produce user-specific audit reports (though we can).
The win is that we deleted an entire category of annoying problems that teams deal with every day.
The Broader Point
Infrastructure security tooling should delete problems, not just manage them.
The old model - "here's a vault, go check out some credentials, remember to rotate them" - doesn't scale. It creates work. It creates opportunities for mistakes. It trains people to find workarounds.
The new model - identity-native, automatically synchronized, ephemeral access - removes entire categories of problems:
No credential sprawl
No stale configurations
No "how do I connect?" questions
No multi-hour onboarding rituals
And as a bonus, it actually improves security. Because when the secure path is the easy path, people follow it.
Questions Worth Asking
If you're managing Kubernetes access today:
How long does it take a new engineer to get connected to all your clusters?
How many people on your team have tried to connect to clusters that no longer exist?
How quickly could you revoke someone's access to all your clusters right now?
How much time do you spend managing kubeconfig files instead of building features?
How do you make sure the right people have access at the right time without giving everyone access all the time
If you don't like (or don’t even know) your answers, there's a better way.
Twingate Identity Firewall is free for up to 5 Resources, and you can deploy it via the Twingate Operator. If you want step-by-step instructions on that, I hosted a webinar a few weeks back - give it a watch.
New to Twingate? You can try out Twingate for free or request a personalized demo from our team.
Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.
Kubernetes Access Management Doesn't Have to Suck
Eran Kampf
•
Nov 24, 2025
We just shipped Twingate Identity Firewall. It's a security product. Enterprise-grade access controls, comprehensive audit trails, identity propagation - all the things your CISO wants to hear about.
But here's what I'm really excited about: I would use Twingate Identity Firewall just because it makes my life easier.
Let me explain.
The Problem Nobody Puts in the Product Requirements Document
I've been managing Kubernetes infrastructure for years, and I'm here to tell you something controversial: the worst part of Kubernetes isn't the complexity of the platform itself, it's the soul-crushing tedium of managing access to it.
You know the drill. New SRE joins. You need to get them connected to your clusters. So you open the cloud provider console, find the cluster, copy the connection command, paste it into Slack.
Then you do it again for the next cluster.
And the next one.
And the next one.
If you're running multiple environments across multiple regions and multiple cloud providers, this becomes a significant chunk of someone's first day.
We’re heavy Kubernetes users here at Twingate, so for us that means anywhere from 50-70 clusters across multiple cloud providers.
It's not hard work. It's just tedious, error-prone work that nobody wants to do.
But here's the thing: it's not just an onboarding problem.
The Ongoing Tax
Scenario: The Ephemeral Cluster
You spin up a temporary cluster for load testing. You need to give a bunch of engineers access for the week. That's a Slack thread full of "can you send me the connection string again?" messages.
Then you tear down the cluster. What happens to everyone's local kubeconfig files? Those entries stay there. Forever. Or until someone manually cleans them up. Which they won't, because they're busy actually building things.
Scenario: The Migration
You need to recreate clusters with new configurations. Now everyone needs to update their local configs. You send a Slack message. Some people update immediately. Others discover weeks later that, when their deployments mysteriously fail, they're pointing at a cluster that no longer exists.
You send reminder messages. People still miss them.
Scenario: The Access Audit
Someone asks: "Who has access to the production cluster?" Do you... check the cloud provider IAM? Hope that everyone who has credentials hasn't shared them? Try to remember everyone you've sent connection commands to over Slack?
It's not a great answer.
What I Actually Wanted
I wanted Kubernetes access to work like everything else in our modern stack:
Identity-based: Your access should be tied to who you are, not what credentials you have cached in a file somewhere
Group-driven: Add someone to the "backend-team" group, they get access to the relevant clusters. Remove them, access disappears
Self-maintaining: When clusters come and go, everyone's configuration should update automatically
Actually auditable: I should be able to answer "who accessed this cluster?" without archaeological log diving
Basically, I wanted Kubernetes access to work like our SaaS apps work. Is that too much to ask?
Twingate Identity Firewall
When we built Identity Firewall for Kubernetes, the headline features were the security ones. And yes, those matter: identity propagation, session recording, comprehensive audit logs, all that good stuff.
In order to build those security features, we needed to ensure that cluster access always reflected current group membership, that credentials were always fresh, and that the Twingate Gateway could maintain its audit trail.
Meeting those requirements delivered the added benefit of automatic cluster syncing.
For Onboarding
Add someone to the appropriate group. They sync via the Twingate Client. All their clusters appear automatically. They start working.
Their first day involves writing code, not copying commands for hours.
For Cluster Lifecycle Management
Spin up new clusters? They automatically appear for everyone who should have access. Zero announcements necessary. Zero setup documentation to maintain.
Decommission old clusters? They automatically disappear from everyone's configs. No cleanup. No zombie entries. No "why can't I connect?" support tickets.
For Day-to-Day Work
No more "which cluster am I connected to?" confusion. No more stale configurations causing mysterious failures. No more Slack threads hunting for connection strings.
Just: run kubectl. It works.
Making the Secure Path the Easy Path
Here's what really matters: we made the secure thing the easy thing.
People weren't fighting with kubeconfig files anymore. They weren't asking for help connecting to clusters. They were just... working.
That's the biggest win for me. Not that we checked the security compliance boxes (though we did). Not that we can produce user-specific audit reports (though we can).
The win is that we deleted an entire category of annoying problems that teams deal with every day.
The Broader Point
Infrastructure security tooling should delete problems, not just manage them.
The old model - "here's a vault, go check out some credentials, remember to rotate them" - doesn't scale. It creates work. It creates opportunities for mistakes. It trains people to find workarounds.
The new model - identity-native, automatically synchronized, ephemeral access - removes entire categories of problems:
No credential sprawl
No stale configurations
No "how do I connect?" questions
No multi-hour onboarding rituals
And as a bonus, it actually improves security. Because when the secure path is the easy path, people follow it.
Questions Worth Asking
If you're managing Kubernetes access today:
How long does it take a new engineer to get connected to all your clusters?
How many people on your team have tried to connect to clusters that no longer exist?
How quickly could you revoke someone's access to all your clusters right now?
How much time do you spend managing kubeconfig files instead of building features?
How do you make sure the right people have access at the right time without giving everyone access all the time
If you don't like (or don’t even know) your answers, there's a better way.
Twingate Identity Firewall is free for up to 5 Resources, and you can deploy it via the Twingate Operator. If you want step-by-step instructions on that, I hosted a webinar a few weeks back - give it a watch.
New to Twingate? You can try out Twingate for free or request a personalized demo from our team.
Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.
Kubernetes Access Management Doesn't Have to Suck
Eran Kampf
•
Nov 24, 2025
We just shipped Twingate Identity Firewall. It's a security product. Enterprise-grade access controls, comprehensive audit trails, identity propagation - all the things your CISO wants to hear about.
But here's what I'm really excited about: I would use Twingate Identity Firewall just because it makes my life easier.
Let me explain.
The Problem Nobody Puts in the Product Requirements Document
I've been managing Kubernetes infrastructure for years, and I'm here to tell you something controversial: the worst part of Kubernetes isn't the complexity of the platform itself, it's the soul-crushing tedium of managing access to it.
You know the drill. New SRE joins. You need to get them connected to your clusters. So you open the cloud provider console, find the cluster, copy the connection command, paste it into Slack.
Then you do it again for the next cluster.
And the next one.
And the next one.
If you're running multiple environments across multiple regions and multiple cloud providers, this becomes a significant chunk of someone's first day.
We’re heavy Kubernetes users here at Twingate, so for us that means anywhere from 50-70 clusters across multiple cloud providers.
It's not hard work. It's just tedious, error-prone work that nobody wants to do.
But here's the thing: it's not just an onboarding problem.
The Ongoing Tax
Scenario: The Ephemeral Cluster
You spin up a temporary cluster for load testing. You need to give a bunch of engineers access for the week. That's a Slack thread full of "can you send me the connection string again?" messages.
Then you tear down the cluster. What happens to everyone's local kubeconfig files? Those entries stay there. Forever. Or until someone manually cleans them up. Which they won't, because they're busy actually building things.
Scenario: The Migration
You need to recreate clusters with new configurations. Now everyone needs to update their local configs. You send a Slack message. Some people update immediately. Others discover weeks later that, when their deployments mysteriously fail, they're pointing at a cluster that no longer exists.
You send reminder messages. People still miss them.
Scenario: The Access Audit
Someone asks: "Who has access to the production cluster?" Do you... check the cloud provider IAM? Hope that everyone who has credentials hasn't shared them? Try to remember everyone you've sent connection commands to over Slack?
It's not a great answer.
What I Actually Wanted
I wanted Kubernetes access to work like everything else in our modern stack:
Identity-based: Your access should be tied to who you are, not what credentials you have cached in a file somewhere
Group-driven: Add someone to the "backend-team" group, they get access to the relevant clusters. Remove them, access disappears
Self-maintaining: When clusters come and go, everyone's configuration should update automatically
Actually auditable: I should be able to answer "who accessed this cluster?" without archaeological log diving
Basically, I wanted Kubernetes access to work like our SaaS apps work. Is that too much to ask?
Twingate Identity Firewall
When we built Identity Firewall for Kubernetes, the headline features were the security ones. And yes, those matter: identity propagation, session recording, comprehensive audit logs, all that good stuff.
In order to build those security features, we needed to ensure that cluster access always reflected current group membership, that credentials were always fresh, and that the Twingate Gateway could maintain its audit trail.
Meeting those requirements delivered the added benefit of automatic cluster syncing.
For Onboarding
Add someone to the appropriate group. They sync via the Twingate Client. All their clusters appear automatically. They start working.
Their first day involves writing code, not copying commands for hours.
For Cluster Lifecycle Management
Spin up new clusters? They automatically appear for everyone who should have access. Zero announcements necessary. Zero setup documentation to maintain.
Decommission old clusters? They automatically disappear from everyone's configs. No cleanup. No zombie entries. No "why can't I connect?" support tickets.
For Day-to-Day Work
No more "which cluster am I connected to?" confusion. No more stale configurations causing mysterious failures. No more Slack threads hunting for connection strings.
Just: run kubectl. It works.
Making the Secure Path the Easy Path
Here's what really matters: we made the secure thing the easy thing.
People weren't fighting with kubeconfig files anymore. They weren't asking for help connecting to clusters. They were just... working.
That's the biggest win for me. Not that we checked the security compliance boxes (though we did). Not that we can produce user-specific audit reports (though we can).
The win is that we deleted an entire category of annoying problems that teams deal with every day.
The Broader Point
Infrastructure security tooling should delete problems, not just manage them.
The old model - "here's a vault, go check out some credentials, remember to rotate them" - doesn't scale. It creates work. It creates opportunities for mistakes. It trains people to find workarounds.
The new model - identity-native, automatically synchronized, ephemeral access - removes entire categories of problems:
No credential sprawl
No stale configurations
No "how do I connect?" questions
No multi-hour onboarding rituals
And as a bonus, it actually improves security. Because when the secure path is the easy path, people follow it.
Questions Worth Asking
If you're managing Kubernetes access today:
How long does it take a new engineer to get connected to all your clusters?
How many people on your team have tried to connect to clusters that no longer exist?
How quickly could you revoke someone's access to all your clusters right now?
How much time do you spend managing kubeconfig files instead of building features?
How do you make sure the right people have access at the right time without giving everyone access all the time
If you don't like (or don’t even know) your answers, there's a better way.
Twingate Identity Firewall is free for up to 5 Resources, and you can deploy it via the Twingate Operator. If you want step-by-step instructions on that, I hosted a webinar a few weeks back - give it a watch.
New to Twingate? You can try out Twingate for free or request a personalized demo from our team.
Solutions
Solutions
The VPN replacement your workforce will love.
Solutions