C1 provides identity governance for Kubernetes. Integrate your Kubernetes cluster with C1 to run user access reviews (UARs) and gain visibility into RBAC permissions across your cluster.
This connector requires network access to your Kubernetes API server. If your cluster API endpoint is not publicly accessible, run the connector in self-hosted mode, deployed inside the cluster itself.
The connector uses a Kubernetes service account to read cluster state. Apply the following manifest to create the namespace, service account, and the read-only RBAC permissions it needs.
The Connector Administrator or Super Administrator role in C1
Self-hosted
Cloud-hosted
Follow these instructions to deploy the Kubernetes connector inside your cluster.When running in service mode, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
Confirm the pod is healthy and that C1 is receiving data from the cluster.
1
Check that the pod started successfully:
kubectl get pods -n batonkubectl logs -n baton deployment/baton-kubernetes
2
In C1, click Apps. On the Managed apps tab, locate the application you added the connector to. Kubernetes data should appear on the Entitlements and Accounts tabs after the first sync completes.
Done. Your Kubernetes connector is now pulling access data into C1.
Follow these instructions to use a built-in, no-code connector hosted by C1.
Cloud-hosted mode requires your Kubernetes API server to be publicly accessible. You’ll need a bearer token and the public API server URL.