feature: add k8s for PAM

[fangpenlin]

Context

ref: https://linear.app/infisical/issue/PAM-12/add-support-for-kubernetes-resource-in-pam

Screenshots

Steps to verify the change

To test this PR, you need the cli PR 79 checked out locally first. Then, you need a local Kubernetes server. Using the one comes with Docker Desktop might be the easiest way to do it. Or you can use Kind if you want.

Step 1. You need to create the new Kubernetes resource

Before all the following, you need to have the gateway and relay with changes we made in the CLI PR 79 running and registered with your local infisical instance.

Next, visit the PAM resource page, click "Add Resource", select Kubernetes. Input the name and the URL to the k8s server, such as:

https://localhost:6443

You may want to disable the SSL check if the IP / hostname you're trying to access the K8S API endpoint may have a certificate that comes with different IP / hostname in it.

Step 2. Create an SA account

Currently, the K8S PAM access only support SA account token. You can save the following file

sa.yaml:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: static-cluster-admin-sa
  namespace: kube-system   # Recommended to put it in kube-system
---
# Bind the ServiceAccount to the cluster-admin ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: static-cluster-admin-binding
subjects:
  - kind: ServiceAccount
    name: static-cluster-admin-sa
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
---
# This Secret is the important part: it creates a STATIC, non-expiring token
# (type kubernetes.io/service-account-token) attached to the SA
apiVersion: v1
kind: Secret
metadata:
  name: static-cluster-admin-sa-token
  namespace: kube-system
  annotations:
    kubernetes.io/service-account.name: static-cluster-admin-sa
type: kubernetes.io/service-account-token

Then run

kubectl apply -f sa.yaml

To create the needed SA account

Step 3. Create a PAM account

To create one, visit PAM account page, click "Add Account" button. Select the k8s resource we've just created. You will need the static service account token, run the following cmd to obtain it:

kubectl -n kube-system get secret static-cluster-admin-sa-token -o jsonpath='{.data.token}' | base64 -d

Copy and paste the SA account content to the add account form.

Step 4. Run access cmd in CLI

Go the PAM account page, click "Access" button for the newly created account and copy the cmd like this:

infisical pam kubernetes access-account my-sa --project-id 9dc5316c-916f-4522-a265-3e82b1c47b76 --duration 4h --domain http://localhost:8080

You may need to replace the infisical cmd with go run . instead in the CLI project root folder if you don't have it installed in your system.

Once you run it, you should be able to access the k8s instance with kubectl. After that, shutdown the proxy, you should be able to see the session logs in the Sessions page.

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds Kubernetes resource support to the PAM system, enabling privileged access management for Kubernetes clusters via service account tokens. The implementation includes:

• New Kubernetes resource factory with connection validation and authentication
• HTTP event logging for Kubernetes API interactions (request/response capture)
• Frontend components for resource/account creation and session log viewing
• Integration with gateway v2 for proxied cluster access

Key changes:

• Added PamResource.Kubernetes enum value to resource types
• Created comprehensive Zod schemas with proper validation (max lengths, URL validation, credential sanitization)
• Implemented connection validation via /version endpoint (accepts 401/403 as valid connection)
• Account credential validation using /api/v1/namespaces endpoint (needs improvement - see inline comment)
• HTTP event schemas with discriminated unions for request/response tracking
• Frontend HTTP event viewer with search, collapsible sections, base64 decoding, and JSON formatting

Issues found:

• Critical: Account validation endpoint requires unnecessary permissions - should use /apis/authentication.k8s.io/v1/selfsubjectreviews instead

Non-breaking changes:

• All changes are additive (new resource type, schemas, routes)
• Existing API contracts maintained via discriminated union patterns
• No modifications to existing resource types (Postgres, MySQL, SSH)

Documentation:

• No documentation found in /docs folder for this new PAM Kubernetes feature. Users may not discover how to use this capability without documentation.

Confidence Score: 3/5

• Safe to merge with one critical fix needed for the validation endpoint
• The implementation is well-structured with proper validation, but has one critical issue: the account credential validation endpoint requires list namespaces permission which service accounts may not have. This will cause validation failures for minimally-privileged service accounts. The fix is straightforward (use selfsubjectreviews endpoint instead). Additionally, documentation is missing for this feature which impacts discoverability.
• backend/src/ee/services/pam-resource/kubernetes/kubernetes-resource-factory.ts needs the validation endpoint fixed

Important Files Changed

File Analysis

Filename	Score	Overview
backend/src/ee/services/pam-resource/kubernetes/kubernetes-resource-factory.ts	4/5	New Kubernetes resource factory with connection validation, authentication checks, and credential handling. Uses proper URL parsing and gateway integration. Has a TODO comment about validation endpoint choice.
backend/src/ee/services/pam-resource/kubernetes/kubernetes-resource-schemas.ts	5/5	Zod schemas for Kubernetes resource configuration with proper validation, max length constraints, and credential sanitization. Well-structured discriminated unions for auth methods.
backend/src/ee/services/pam-account/pam-account-service.ts	4/5	Added Kubernetes support to PAM account service with URL parsing for connection details and metadata tracking. Uses type casting for credentials in switch cases.
frontend/src/pages/pam/PamSessionsByIDPage/components/HttpEventView.tsx	4/5	New React component for displaying HTTP session logs with search, collapsible sections, base64 decoding, and JSON formatting. Includes kubectl command extraction from headers.

[greptile-apps]

_{28 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}