1. Docs
  2. Overview
  3. Security
  4. Secure access to clusters

Last modified July 4, 2025

Secure access to clusters

You get secure access to your workload clusters by default. The Giant Swarm team also needs access to these clusters to provide you with the best support.

This guide explains how this access works and the security measures for managing your clusters securely and responsibly.

Intro

There are two broad types of access to your Giant Swarm clusters:

  1. User access - for you and your team to interact with your services.

  2. Admin access - for the Giant Swarm team to help with management, development, and support.

Want to learn more about how the infrastructure works? Check out the operational layers article.

User access

We expose the Kubernetes API of each workload cluster to you. You can manage who gets access by connecting your external identity provider to the Kubernetes API.

Admin access via Teleport

Giant Swarm uses Teleport to access clusters for management and support.

What is Teleport

Teleport is an open-source tool that helps us manage secure access to your infrastructure. It uses an identity-aware reverse proxy and short-lived certificates instead of passwords or long-lived keys. This makes your clusters more secure and helps us follow regulations and work with different network setups.

Teleport is powerful because it:

  • Requires no open ports, publicly accessible machines, or privileged bastion hosts
  • Works flexibly with our range of different customer network layouts
  • Requires only outbound HTTPS traffic
  • Uses short-lived scoped credentials
  • Provides detailed audit logging to us and to our customers

Teleport secured access points

We use Teleport to securely access:

  • SSH - Access nodes using Teleport to authenticate the user and record the session without requiring personal SSH keys on customer machines.
  • Kubernetes API - Management cluster and workload cluster Kubernetes API server access is auditable and can be fully private.
  • Apps - User interfaces for Giant Swarm apps are also exposed and protected by Teleport, minimizing the number of components that require public endpoints.

Here’s a diagram that shows how our Teleport setup works:

Teleport Architecture

We secure Teleport access with GitHub Single Sign-On (SSO) and multi-factor authentication. Only people in our GitHub organization can log in.

The Teleport cluster is built to be highly dependable, and detailed access and audit logs are kept for every session.

Infrastructure provider access

Our Kubernetes operators also require admin rights to your infrastructure provider. It allow them to manage your cluster’s lifecycle - creating, configuring, and cleaning up resources like machines, networks, and security groups.