Kubernetes uses x509 (certificate) based authentication. When configured correctly, it's pretty safe to have the API server publicly available. All major cloud providers do this by default
quiet-wolf-18467
02/06/2022, 6:27 PM
That being said, many prefer to keep them behind a VPN or bastion and that's OK too
quiet-wolf-18467
02/06/2022, 6:28 PM
Your best bet is to create an SSH tunnel on your machine before running Pulumi to make the API server available
s
sparse-park-68967
02/06/2022, 6:51 PM
I believe you can configure Pulumi to go over a socks proxy? I could be wrong though. Another option is to consider the Pulumi k8s operator which can be installed directly on the cluster so no need to go over the network… it comes with other considerations though