Cluster credentials scattered across kubeconfig files are a standing privilege problem. Wardengate brokers kubectl exec, port-forward, and API calls through the same policy engine as SSH and RDP.
Shared cluster-admin kubeconfigs, long-lived service account tokens, and vendor VPN paths into prod clusters are difficult to revoke and nearly impossible to audit command-by-command. Gateways replace standing kubeconfig access with session grants tied to identity.
Operators authenticate to Wardengate — not directly to the API server. The gateway validates grants, applies MFA, and establishes a brokered session using ephemeral credentials or impersonation headers. kubectl, k9s, and web terminals all route through the connector; raw kubeconfig files with cluster-admin are not distributed.
Map IdP groups to Kubernetes RBAC roles at session start. A platform engineer and a vendor support identity receive different effective permissions even on the same cluster. Policy version and role binding are captured in session metadata for audit.
API calls and exec sessions produce structured logs — resource, verb, namespace, identity — plus optional exec recording for shells inside pods. Evidence exports align with SOC 2 CC6/CC7 without relying on cluster audit logs alone.
Operational docs
Ready to evaluate?
Walk through gateway brokering, recording, and audit exports in a working session — or start with the interactive demo.
