← Back to Blog

The Kaja Team

Secure access to private Kubernetes clusters without exposing them

Run clusters with no public IP and still manage them from Kaja. Here's how outbound agents and RBAC keep everything locked down.

Many teams want Kubernetes clusters that don't expose a public API or ingress. That improves security but makes it harder to access apps and run operations from outside the network. Opening firewalls or punching holes is exactly what we want to avoid.

With Kaja, you can keep clusters fully private and still get secure access:

  • Outbound agent — The Kaja agent establishes an outbound connection to the control plane. No inbound ports, no public IPs on the cluster API.
  • RBAC — Who can see which clusters and apps is governed by role-based access control, so access is consistent and auditable.
  • Isolated projects — Developers get their own isolated project instead of sharing one long-lived staging environment.

Why outbound-only matters

Traditional setups often require opening the Kubernetes API or an ingress controller to the internet. That expands your attack surface: every open port is a potential target. With an outbound-only agent, the cluster initiates the connection to Kaja. There's nothing for an external scanner to hit. The control plane can still send commands and stream logs/metrics over that same channel—you get full functionality without exposing the cluster.

Keeping it auditable

RBAC doesn't just protect production. It makes it clear who can create projects, deploy apps, or view logs. When everything goes through the control plane, you have one place to define roles and one place to audit "who did what." That's especially important for compliance and for teams that want to give developers autonomy without giving them keys to everything. Private clusters plus outbound agents plus RBAC give you lock-down without locking out your team.