Subscribe to the Non-Human & AI Identity Journal

Forums
The Non-Human & AI ...
NHI, AI & IAM Best ...
Kubernetes internal...
 
Notifications
Clear all

Kubernetes internal tools without VPNs: what changes for IAM teams?

 
    Last Post
  RSS

 NHI Mgmt Group
(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 4368
Topic starter 10/06/2026 11:42 pm  

TL;DR: Identity-aware access for Grafana, Argo CD, GitLab, and Prometheus replaces network-level VPN trust with per-application policy, identity claims, and audit logs, according to Pomerium. That shift reduces broad access and makes revocation, visibility, and compliance much easier for platform and IAM teams.

NHIMG editorial — based on content published by Pomerium: Secure internal access to Grafana, Argo, GitLab, and Prometheus without a VPN

Questions worth separating out

Q: How should security teams govern internal Kubernetes tools without a VPN?

A: Use identity-aware access at the application layer, not network-level trust.

Q: Why do VPNs create weak least-privilege controls for internal apps?

A: Because VPNs usually grant broad connectivity instead of application-specific permissions.

Q: What breaks when contractor access to internal tools is handled through VPNs?

A: Offboarding and scoping become too coarse.

Practitioner guidance

  • Replace network trust with application-scoped policy Put Grafana, Argo CD, GitLab, and Prometheus behind identity-aware controls so access is decided per application, not by VPN reachability.
  • Separate read-only and privileged access paths Treat dashboards, deployment consoles, and APIs as different access tiers, even when they sit in the same platform.
  • Tie every access decision to identity metadata Require request-level logging that records the identity, policy outcome, and target service.

What's in the full article

Pomerium's full blog post covers the implementation detail this post intentionally leaves for the source:

  • Step-by-step access proxy flow for internal Kubernetes tools such as Grafana, Argo CD, GitLab, and Prometheus
  • Example policy structure for identity- and group-based access decisions across internal applications
  • Operational guidance on reducing VPN dependence while preserving auditability and revocation
  • Practical deployment considerations for platform teams moving from network trust to identity-aware access

👉 Read Pomerium's analysis of secure access to Grafana, Argo CD, GitLab, and Prometheus →

Kubernetes internal tools without VPNs: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
Topic Tags
pomerium zero-trust-access kubernetes-security identity-aware-proxy vpn-replacement
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  pomerium (24) , zero-trust-access (7) , kubernetes-security (16) , identity-aware-proxy (5) , vpn-replacement (3) ,
Share:

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.