Create a Kubernetes TCP target

TCP targets provide a generic way to connect to any service Boundary has access to, including Kubernetes API servers.

The following examples use a direct target address for simplicity, but HashiCorp recommends that you configure host catalogs and host sets for scaled production deployments.

Complete the following steps to create a TCP target for a Kubernetes API server.

Log in to Boundary.
Select an org, and then select the project where you want to create a target.
Select Targets under Project Actions.
Click New Target.
Complete the following fields:
- Name: (Required) A name for identification purposes, such as kubernetes. The name must be unique.
- Description: (Optional) An optional description of the target for identification purposes.
- Type: (Required) Select TCP to create a TCP target.
- Target Address (Optional) If you are not using host catalogs and host sets, you can enter a target address instead to map the target to a single address. This must be a valid IP address or DNS name.
- Default Port (Required) The default port on which to connect, such as 6443 for an HTTPS TCP connection.
- Aliases (Optional) A globally-scoped unique identifier for the target, which makes the target easier to connect to using the CLI or transparent sessions. If you create an alias, click Add to assign it.
Click Save.

Log in to Boundary.
Set the BOUNDARY_PROJECT_ID environment variable, or provide the scope ID (such as p_1234567890) in the next step.
Use the following command to create a TCP target named kubernetes with a direct target address of 10.0.0.100 and a default connection port of 6443:
```
$ boundary targets create tcp \
  -scope-id $BOUNDARY_PROJECT_ID \
  -name "kubernetes" \
  -address "10.0.0.100" \
  -default-port 6443
```
You must provide the scope-id field when you create a static host catalog.
Refer to the targets domain model documentation for more fields that you can use when you create targets, and the targets create command for all the CLI options.

You can define a target and target alias using the Boundary Terraform provider:

resource "boundary_target" "kubernetes_api" {
  name         = "kubernetes"
  description  = "Kubernetes API server target"
  type         = "tcp"
  address      = "10.0.0.100"
  default_port = "6443"
  scope_id     = boundary_scope.project.id
}

Configure a brokered application credential

You can configure a brokered application credential for end users to connect to the target. Brokered credentials are exposed to the end user to allow them to authenticate to a target manually, or using connect helpers.

Note

You can configure TCP targets with credential brokering, but not credential injection.

You can configure credentials for the TCP target using:

Static credentials (username_password)
Vault credential library (username/password)

Refer to the Configure targets with credential brokering page to learn how to configure a target with credential brokering.

Next steps

To learn how to connect to a target, refer to Connection workflows.

To use target aliases to connect to targets:

Create a target alias
Connect to a target using an alias
After you set up a target alias, you can optionally Configure transparent sessions for end users. ^HCP/ENT