Infra (YC W21) – Open-source access management for Kubernetes

Hey HN! We’re Jeff and Michael, and we’re building Infra (https://github.com/infrahq/infra). Infra is a tool for managing access to cloud infrastructure. We’re starting with Kubernetes and have a roadmap to support Postgres, SSH and much more.

Michael and I were the co-founders of Kitematic, an easy way to run Docker on the desktop. We sold the company to Docker and built Docker Desktop while there. After that, we worked on Infra App, a Kubernetes client for Mac, Windows and Linux. Between what users told us and our time at Docker, it became obvious that managing infrastructure access was becoming increasingly painful.

Many larger teams don’t give access to developers, while smaller teams often just grant admin access to everyone. Teams in between either build extensive tooling in-house (e.g. Segment’s Access Service), or they end up spending a lot of time manually onboarding and offboarding team members with the right permissions. We wanted to help teams securely distribute access using the principles of least privilege to their infrastructure systems without managing certificates, keys or integrations with identity providers.

With Infra, access is granted or revoked via an API or CLI, and in the background, Infra takes care of provisioning users & groups with the right permissions no matter where the cluster is hosted (EKS, GKE, AKS, or other managed/self-hosted Kubernetes clusters). When users need access, Infra distributes short-lived credentials that expire after a short period. For larger teams, Infra integrates with identity providers like Okta to automatically give access via existing accounts.

Credentials are signed and verified by a central root of trust with a short time to live, so they are easily revoked or rotated when necessary. Infra doesn’t rely on a single point of failure. Other tools in this space use a centralized proxy to verify credentials, whereas Infra instead verifies them at the destination infrastructure. Access continues to work should Infra’s API or the configured identity provider go down temporarily. For clusters hosted in different regions, this means users won’t suffer from slow connections from being proxied.

Infra is a lightweight service written in Go, uses <100MB memory at rest, and is deployed by default with SQLite.

There are a few existing tools that solve infrastructure access management, but they are sold directly to directors of engineering or security teams and can’t be easily deployed by smaller teams without an expensive sales contract. We set out to build a product that teams of any size can pick up, self-host, deploy and build custom tooling on top of without fretting about a sales conversation.

Our GitHub repo is at https://github.com/infrahq/infra which contains the full product that can be self-hosted via Docker or Kubernetes. We plan to make money by running a managed service version of Infra so teams don’t need to host and upgrade Infra manually. We don’t have pricing for this yet but will charge in a way that scales with usage, so even smaller teams (<10) can use it.

Our team includes an early VMware employee whose work is used in all VMware ESXi installs, an engineer from Hashicorp who was a large contributor to Consul, the original developer evangelist from Datadog, and the engineer who built 1Password’s cloud service, 1Password for teams.

We started building Infra a year ago and have been quietly iterating on it with a few teams of various sizes, ranging from 5 developers to public companies. We’re so happy to be able to share it with you and can’t wait to hear your feedback and thoughts!



Get Top 5 Posts of the Week



best of all time best of today best of yesterday best of this week best of this month best of last month best of this year best of 2023 best of 2022 yc s24 yc w24 yc s23 yc w23 yc s22 yc w22 yc s21 yc w21 yc s20 yc w20 yc s19 yc w19 yc s18 yc w18 yc all-time 3d algorithms animation android [ai] artificial-intelligence api augmented-reality big data bitcoin blockchain book bootstrap bot css c chart chess chrome extension cli command line compiler crypto covid-19 cryptography data deep learning elexir ether excel framework game git go html ios iphone java js javascript jobs kubernetes learn linux lisp mac machine-learning most successful neural net nft node optimisation parser performance privacy python raspberry pi react retro review my ruby rust saas scraper security sql tensor flow terminal travel virtual reality visualisation vue windows web3 young talents


andrey azimov by Andrey Azimov