Kubeportal aims to be an end-to-end solution for secure, cross-cluster Kubernetes API connectivity.
It allows workloads in a central cluster to seamlessly interact with the Kubernetes APIs of multiple remote clusters without exposing those clusters publicly.
The kubeportal runs as a Deployment in Hub mode in the central cluster and as a Deployment in Agent mode in remote clusters.

kubeportal is an early prototype, still in active development.
Expect breaking changes and incomplete features.
It’s currently intended for exploration and internal testing rather than production use.

Images are built automatically for linux on 4 architectures and can be found here: https://quay.io/repository/ibm/kubeportal?tab=tags
To experiment locally: docker pull quay.io/ibm/kubeportal:latest

Agents establish outbound, TLS-secured connections to the Hub.
These connections are used to proxy Kubernetes API requests initiated by workloads running in the Hub cluster.
Authentication and authorization are enforced via native Kubernetes RBAC, using regular pod-mounted service account tokens that don't leave the cluster.

• Seamless usage/integration for clients.
• No public API endpoints or shared credentials.
• Works entirely with Kubernetes-native primitives.
• Fine-grained, RBAC-based access controls on both sides.
• Simple Hub and Agent deployment model with horizontal scaling.

• Streaming operations like exec are natively supported over websocket, which became the default starting from kubernetes 1.31, and can be opted in from version 1.29.

• kube-oidc-proxy - also uses impersonation for cross-cluster auth but relies on remote API server to be network-accessible.
• Konnectivity - both kubeportal and Konnectivity use reverse connection initiation. Konnectivity is for API server -> node traffic while kubeportal is for pod-> remote API server traffic.
• Teleport - similar idea but primarily for human -> API server traffic instead of workload -> API server.