feature: add k8s for PAM

backend/src/ee/routes/v1/pam-account-routers/index.ts

@@ -3,6 +3,11 @@ import {
   SanitizedAwsIamAccountWithResourceSchema,
   UpdateAwsIamAccountSchema
 } from "@app/ee/services/pam-resource/aws-iam/aws-iam-resource-schemas";
+import {
+  CreateKubernetesAccountSchema,
+  SanitizedKubernetesAccountWithResourceSchema,
+  UpdateKubernetesAccountSchema
+} from "@app/ee/services/pam-resource/kubernetes/kubernetes-resource-schemas";
 import {
   CreateMySQLAccountSchema,
   SanitizedMySQLAccountWithResourceSchema,
@@ -50,6 +55,15 @@ export const PAM_ACCOUNT_REGISTER_ROUTER_MAP: Record<PamResource, (server: Fasti
       updateAccountSchema: UpdateSSHAccountSchema
     });
   },
+  [PamResource.Kubernetes]: async (server: FastifyZodProvider) => {
+    registerPamResourceEndpoints({
+      server,
+      resourceType: PamResource.Kubernetes,
+      accountResponseSchema: SanitizedKubernetesAccountWithResourceSchema,
+      createAccountSchema: CreateKubernetesAccountSchema,
+      updateAccountSchema: UpdateKubernetesAccountSchema
+    });
+  },
   [PamResource.AwsIam]: async (server: FastifyZodProvider) => {
     registerPamResourceEndpoints({
       server,

backend/src/ee/routes/v1/pam-account-routers/pam-account-router.ts

@@ -4,6 +4,7 @@ import { PamFoldersSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { PamAccountOrderBy, PamAccountView } from "@app/ee/services/pam-account/pam-account-enums";
 import { SanitizedAwsIamAccountWithResourceSchema } from "@app/ee/services/pam-resource/aws-iam/aws-iam-resource-schemas";
+import { SanitizedKubernetesAccountWithResourceSchema } from "@app/ee/services/pam-resource/kubernetes/kubernetes-resource-schemas";
 import { SanitizedMySQLAccountWithResourceSchema } from "@app/ee/services/pam-resource/mysql/mysql-resource-schemas";
 import { PamResource } from "@app/ee/services/pam-resource/pam-resource-enums";
 import { GatewayAccessResponseSchema } from "@app/ee/services/pam-resource/pam-resource-schemas";
@@ -21,10 +22,17 @@ const SanitizedAccountSchema = z.union([
   SanitizedSSHAccountWithResourceSchema, // ORDER MATTERS
   SanitizedPostgresAccountWithResourceSchema,
   SanitizedMySQLAccountWithResourceSchema,
+  SanitizedKubernetesAccountWithResourceSchema,
   SanitizedAwsIamAccountWithResourceSchema
 ]);
 
-type TSanitizedAccount = z.infer<typeof SanitizedAccountSchema>;
+const ListPamAccountsResponseSchema = z.object({
+  accounts: SanitizedAccountSchema.array(),
+  folders: PamFoldersSchema.array(),
+  totalCount: z.number().default(0),
+  folderId: z.string().optional(),
+  folderPaths: z.record(z.string(), z.string())
+});
 
 export const registerPamAccountRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -55,13 +63,7 @@ export const registerPamAccountRouter = async (server: FastifyZodProvider) => {
           .optional()
       }),
       response: {
-        200: z.object({
-          accounts: SanitizedAccountSchema.array(),
-          folders: PamFoldersSchema.array(),
-          totalCount: z.number().default(0),
-          folderId: z.string().optional(),
-          folderPaths: z.record(z.string(), z.string())
-        })
+        200: ListPamAccountsResponseSchema
       }
     },
     onRequest: verifyAuth([AuthMode.JWT]),
@@ -98,7 +100,7 @@ export const registerPamAccountRouter = async (server: FastifyZodProvider) => {
         }
       });
 
-      return { accounts: accounts as TSanitizedAccount[], folders, totalCount, folderId, folderPaths };
+      return { accounts, folders, totalCount, folderId, folderPaths } as z.infer<typeof ListPamAccountsResponseSchema>;
     }
   });
 
@@ -135,6 +137,7 @@ export const registerPamAccountRouter = async (server: FastifyZodProvider) => {
           GatewayAccessResponseSchema.extend({ resourceType: z.literal(PamResource.Postgres) }),
           GatewayAccessResponseSchema.extend({ resourceType: z.literal(PamResource.MySQL) }),
           GatewayAccessResponseSchema.extend({ resourceType: z.literal(PamResource.SSH) }),
+          GatewayAccessResponseSchema.extend({ resourceType: z.literal(PamResource.Kubernetes) }),
           // AWS IAM (no gateway, returns console URL)
           z.object({
             sessionId: z.string(),

backend/src/ee/routes/v1/pam-resource-routers/index.ts

@@ -3,6 +3,11 @@ import {
   SanitizedAwsIamResourceSchema,
   UpdateAwsIamResourceSchema
 } from "@app/ee/services/pam-resource/aws-iam/aws-iam-resource-schemas";
+import {
+  CreateKubernetesResourceSchema,
+  SanitizedKubernetesResourceSchema,
+  UpdateKubernetesResourceSchema
+} from "@app/ee/services/pam-resource/kubernetes/kubernetes-resource-schemas";
 import {
   CreateMySQLResourceSchema,
   MySQLResourceSchema,
@@ -50,6 +55,15 @@ export const PAM_RESOURCE_REGISTER_ROUTER_MAP: Record<PamResource, (server: Fast
       updateResourceSchema: UpdateSSHResourceSchema
     });
   },
+  [PamResource.Kubernetes]: async (server: FastifyZodProvider) => {
+    registerPamResourceEndpoints({
+      server,
+      resourceType: PamResource.Kubernetes,
+      resourceResponseSchema: SanitizedKubernetesResourceSchema,
+      createResourceSchema: CreateKubernetesResourceSchema,
+      updateResourceSchema: UpdateKubernetesResourceSchema
+    });
+  },
   [PamResource.AwsIam]: async (server: FastifyZodProvider) => {
     registerPamResourceEndpoints({
       server,

backend/src/ee/routes/v1/pam-resource-routers/pam-resource-router.ts

@@ -5,6 +5,10 @@ import {
   AwsIamResourceListItemSchema,
   SanitizedAwsIamResourceSchema
 } from "@app/ee/services/pam-resource/aws-iam/aws-iam-resource-schemas";
+import {
+  KubernetesResourceListItemSchema,
+  SanitizedKubernetesResourceSchema
+} from "@app/ee/services/pam-resource/kubernetes/kubernetes-resource-schemas";
 import {
   MySQLResourceListItemSchema,
   SanitizedMySQLResourceSchema
@@ -27,13 +31,15 @@ const SanitizedResourceSchema = z.union([
   SanitizedPostgresResourceSchema,
   SanitizedMySQLResourceSchema,
   SanitizedSSHResourceSchema,
+  SanitizedKubernetesResourceSchema,
   SanitizedAwsIamResourceSchema
 ]);
 
 const ResourceOptionsSchema = z.discriminatedUnion("resource", [
   PostgresResourceListItemSchema,
   MySQLResourceListItemSchema,
   SSHResourceListItemSchema,
+  KubernetesResourceListItemSchema,
   AwsIamResourceListItemSchema
 ]);
 

backend/src/ee/routes/v1/pam-session-router.ts

@@ -2,10 +2,12 @@ import { z } from "zod";
 
 import { PamSessionsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { KubernetesSessionCredentialsSchema } from "@app/ee/services/pam-resource/kubernetes/kubernetes-resource-schemas";
 import { MySQLSessionCredentialsSchema } from "@app/ee/services/pam-resource/mysql/mysql-resource-schemas";
 import { PostgresSessionCredentialsSchema } from "@app/ee/services/pam-resource/postgres/postgres-resource-schemas";
 import { SSHSessionCredentialsSchema } from "@app/ee/services/pam-resource/ssh/ssh-resource-schemas";
 import {
+  HttpEventSchema,
   PamSessionCommandLogSchema,
   SanitizedSessionSchema,
   TerminalEventSchema
@@ -17,7 +19,8 @@ import { AuthMode } from "@app/services/auth/auth-type";
 const SessionCredentialsSchema = z.union([
   SSHSessionCredentialsSchema,
   PostgresSessionCredentialsSchema,
-  MySQLSessionCredentialsSchema
+  MySQLSessionCredentialsSchema,
+  KubernetesSessionCredentialsSchema
 ]);
 
 export const registerPamSessionRouter = async (server: FastifyZodProvider) => {
@@ -89,7 +92,7 @@ export const registerPamSessionRouter = async (server: FastifyZodProvider) => {
         sessionId: z.string().uuid()
       }),
       body: z.object({
-        logs: z.array(z.union([PamSessionCommandLogSchema, TerminalEventSchema]))
+        logs: z.array(z.union([PamSessionCommandLogSchema, TerminalEventSchema, HttpEventSchema]))
       }),
       response: {
         200: z.object({

backend/src/ee/services/pam-account/pam-account-service.ts

@@ -689,13 +689,30 @@ export const pamAccountServiceFactory = ({
       throw new BadRequestError({ message: "Gateway ID is required for this resource type" });
     }
 
+    const { host, port } =
+      resourceType !== PamResource.Kubernetes
+        ? connectionDetails
+        : (() => {
+            const url = new URL(connectionDetails.url);
+            let portNumber: number | undefined;
+            if (url.port) {
+              portNumber = Number(url.port);
+            } else {
+              portNumber = url.protocol === "https:" ? 443 : 80;
+            }
+            return {
+              host: url.hostname,
+              port: portNumber
+            };
+          })();
+
     const gatewayConnectionDetails = await gatewayV2Service.getPAMConnectionDetails({
       gatewayId,
       duration,
       sessionId: session.id,
       resourceType: resource.resourceType as PamResource,
-      host: (connectionDetails as TSqlResourceConnectionDetails).host,
-      port: (connectionDetails as TSqlResourceConnectionDetails).port,
+      host,
+      port,
       actorMetadata: {
         id: actor.id,
         type: actor.type,
@@ -746,6 +763,13 @@ export const pamAccountServiceFactory = ({
           };
         }
         break;
+      case PamResource.Kubernetes:
+        metadata = {
+          resourceName: resource.name,
+          accountName: account.name,
+          accountPath
+        };
+        break;
       default:
         break;
     }

backend/src/ee/services/pam-resource/kubernetes/kubernetes-resource-enums.ts

@@ -0,0 +1,3 @@
+export enum KubernetesAuthMethod {
+  ServiceAccountToken = "service-account-token"
+}