Installation
Twingate Kubernetes Access Gateway needs a Twingate Network and other components (Client and Connector) to function. For a step-by-step setup from scratch, see the Quick Start Guide.
The Kubernetes Access Gateway can be deployed in several configurations, depending on your network architecture and security requirements:
- Connector and Gateway Inside Cluster (Recommended) - Both the Twingate Connector and Gateway are deployed within your Kubernetes cluster. This provides the simplest setup and management experience, with all components running in the same environment. This guide primarily focuses on this configuration.
Tip
For ease of setup and management, we highly recommend installing both Connector and Gateway using Twingate Operator.
-
Connector Outside, Gateway Inside Cluster (Supported) - The Twingate Connector runs outside the Kubernetes cluster (e.g., in a separate VM or container) while the Gateway runs inside. This setup is useful when you have an existing Connector deployment or when cluster-level network restrictions are in place. See the "Support Twingate Connector outside the Kubernetes Cluster" section below for details.
-
Connector and Gateway Outside Cluster (Advanced) - While technically possible for specialized use cases, this configuration requires more manual configuration that is not covered in this guide. Please reach out to Twingate Support for assistance!
The Gateway Helm Chart is a subchart of the Twingate Operator Helm Chart. You can install the Gateway together with the Twingate Operator by enabling the subchart in the values.yaml file. Note that <network-name> is the name of your Twingate Network i.e. you access Twingate via https://<network-name>.twingate.com.
twingateOperator:
# Existing Twingate Operator configurations
network: "<network-name>"
remoteNetworkId: "<the ID of the Remote Network>"
kubernetes-access-gateway:
enabled: true # Enable the Gateway subchart
twingate:
network: "<network-name>"
resource:
# Annotate Gateway Service as a Twingate resource
enabled: true
extraAnnotations:
resource.twingate.com/name: "My Kubernetes Cluster"
resource.twingate.com/alias: "my-k8s-cluster.int"Apply this configuration to install the Gateway:
helm upgrade twop oci://ghcr.io/twingate/helmcharts/twingate-operator --install --wait -f ./values.yamlThis will install the Gateway Helm Chart and annotate the Gateway service so that Twingate Operator can automatically create a TwingateResource to represent the Kubernetes API Server of the cluster.
$ kubectl get twingateresources
NAME ID DISPLAY NAME ADDRESS ALIAS AGE
twop-kubernetes-access-gateway-resource UmVzb3VyY2U6Mjk2OTI1Mw== My Kubernetes Cluster kubernetes.default.svc.cluster.local my-k8s-cluster.int 67sAfter a few moments, a resource should be created and visible in Twingate Admin Console.
Assign your user or group to the resource.
The Gateway Helm Chart is hosted on Github Container registry.
Create values.yaml with the following content. Note that <network-name> is the name of your Twingate Network i.e. you access Twingate via https://<network-name>.twingate.com.
twingate:
network: "<network-name>"
tls:
dnsNames:
# Include the resource alias in the TLS certificate served by the Gateway
- "my-k8s-cluster.int"Apply this configuration to install the Gateway:
helm upgrade gateway oci://ghcr.io/twingate/helmcharts/kubernetes-access-gateway --install --wait -f ./values.yamlOn successfully installation, Helm should display information about the Gateway that you need to create a Kubernetes resource in Admin Console
in the next step. This installation note is displayed after every helm upgrade command so feel free to run it again if you need to!
NOTES:
Admin Console URL - https://<network-name>.twingate.com
1. The Gateway is accessible via its ClusterIP DNS at
gateway-kubernetes-access-gateway.default.svc.cluster.local
2. The Gateway uses TLS certificates from the "gateway-kubernetes-access-gateway-tls" Secret. The CA certificate is
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIRAL24+wmZMdURdJ8z2GTQT3owDQYJKoZIhvcNAQELBQAw
...
QDbPZTYFDSzdcv2viV8IxYSVZdTuyW635BL0wn0D
-----END CERTIFICATE-----
In Admin Console, create a new resource with the following details. This resource represents the Kubernetes API Server of the cluster that is only accessible via the Gateway.
- Type:
Kubernetes Cluster - Name:
My Kubernetes Cluster - Address:
kubernetes.default.svc.cluster.local - Alias:
my-k8s-cluster.int - Gateway Address:
gateway-kubernetes-access-gateway.default.svc.cluster.local(copy from the previous step) - CA Certificate: (copy from the previous step)
-----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIRAL24+wmZMdURdJ8z2GTQ ... QDbPZTYFDSzdcv2viV8IxYSVZdTuyW635BL0wn0D -----END CERTIFICATE-----
Assign your user or group to the resource.
By default, the Gateway is exposed via a ClusterIP service. When the Connector is outside the cluster, you can use a LoadBalancer service to expose the Gateway outside the cluster.
For example, on Google Kubernetes Engine (GKE), you can add the following to the values.yaml file:
service:
type: LoadBalancer
annotations:
cloud.google.com/load-balancer-type: "Internal"Apply this configuration to install the Gateway:
helm upgrade gateway oci://ghcr.io/twingate/helmcharts/kubernetes-access-gateway --install --wait -f ./values.yamlThe Gateway will now be accessible by the Connector via the LoadBalancer's IP or hostname. You can get the LoadBalancer address with the following command:
$ kubectl get service -w gateway-kubernetes-access-gateway -o jsonpath='{.status.loadBalancer.ingress[0]}'
{"ip":"10.138.0.39","ipMode":"VIP"}Use this address as the Gateway Address when creating the resource in the Admin Console.
Tip
When you install the Gateway using Twingate Operator, the Gateway Address is automatically set to the LoadBalancer's IP or hostname, eliminating the need for manual configuration.
