Octelium Logo
Documentation
Client-less Access for Workloads to Kubernetes using Go SDK

You can easily protect access to all your Kubernetes clusters as Octelium Services and provide your client-less WORKLOAD Users such as your Golang-based microservices and applications with secret-less access without having to expose, manage and share Kubeconfigs, mTLS client private keys or access tokens required to access such Kubernetes clusters. In this short guide, we're going to use the Golang SDK (read more here) to access a generic HTTP SaaS API that requires a bearer access token.

We first create a Secret that contains the kubeconfig file required to access the Kubernetes cluster (read more here) as follows:

octeliumctl create secret kubeconfig-k8s1 --file /PATH/TO/KUBECONFIG

Note that Octelium also supports secret-less access to Kubernetes clusters via access tokens and mTLS client certificates. You can read more here.

Now we create the KUBERNETES Service representing our Kubernetes cluster that needs to be protected as follows:

1
kind: Service

2
metadata:

3
  name: k8s1

4
spec:

5
  mode: KUBERNETES

6
  config:

7
    upstream:

8
      url: https://k8s-cluster.example.com:6443

9
    kubernetes:

10
      kubeconfig:

11
        fromSecret: kubeconfig-k8s1

You can now apply the Service k8s1 as follows:

octeliumctl apply /PATH/TO/SERVICE.YAML

We can now easily use the octelium-go library and automatically feed its HTTP client into the NewForConfigAndClient() function to create a kubernetes client as follows:

1
package main

2


3
import (

4
	"context"

5
	"fmt"

6
	"os"

7


8
	"github.com/octelium/octelium/octelium-go"

9
	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"

10
	"k8s.io/client-go/kubernetes"

11
	"k8s.io/client-go/rest"

12
)

13


14
func main() {

15
	if err := doMain(context.Background()); err != nil {

16
		panic(err)

17
	}

18
}

19


20
func doMain(ctx context.Context) error {

21
	octeliumC, err := octelium.NewClient(ctx, &octelium.ClientConfig{

22
		Domain:              "example.com",

23
		AuthenticationToken: os.Getenv("AUTH_TOKEN"),

24
	})

25
	if err != nil {

26
		return err

27
	}

28


29
	defer octeliumC.Close()

30


31
	k8sC, err := kubernetes.NewForConfigAndClient(&rest.Config{

32
		Host: "k8s-cluster-01.example.com",

33
	}, octeliumC.HTTP().Client())

34
	if err != nil {

35
		return err

36
	}

37


38
	podList, err := k8sC.CoreV1().Pods("").List(ctx, v1.ListOptions{})

39
	if err != nil {

40
		return err

41
	}

42
	fmt.Printf("podList = %+v\n", podList)

43


44
	return nil

45
}

It's important to note that the Go-SDK is not the only way to access publicly exposed BeyondCorp Services. You can also use the OAuth2 client credentials flow to access any such Service (read more here). This enables your applications and microservices written in any language to access the Cluster's Services via standard OAuth2 libraries that are supported in most major programming languages without having to use any clients or use specific SDKs. You can also generate an access token Credential and use it directly as a standard bearer token (read more here).

© 2025 octelium.comOctelium Labs, LLCAll rights reserved
Octelium and Octelium logo are trademarks of Octelium Labs, LLC.
WireGuard is a registered trademark of Jason A. Donenfeld
AboutContactEnterprise
Privacy PolicyTerms