To access services running on the remote, edge or network-restricted cluster from the Management cluster, connect to the tunnel proxy.
You can use these three methods:
If the client program supports use of a kubeconfig file, use the network-restricted cluster’s kubeconfig.
If the client program supports SOCKS5 proxies, use the proxy directly.
Otherwise, deploy a proxy server on the Management cluster.
Network-restricted Cluster Service
These sections require a service to run on the Attached or Managed network-restricted cluster.
As an example, start the following service:
CODE
service_namespace=testservice_name=webserverservice_port=8888service_endpoint=${service_name}.${service_namespace}.svc.cluster.local:${service_port}cat > nginx.yaml <<EOFapiVersion: v1kind: Namespacemetadata: name: ${service_namespace}---apiVersion: apps/v1kind: Deploymentmetadata: namespace: ${service_namespace} name: nginx-deployment labels: app: nginx-deploymentspec: replicas: 3 selector: matchLabels: app: nginx-app template: metadata: labels: app: nginx-app spec: containers: - name: nginx image: nginx:1.14.2 ports: - containerPort: 80---apiVersion: v1kind: Servicemetadata: namespace: ${service_namespace} name: ${service_name}spec: selector: app: nginx-app type: ClusterIP ports: - targetPort: 80 port: ${service_port}EOFkubectl apply -f nginx.yamlkubectl rollout status deploy -n ${service_namespace} nginx-deploymentOn the Attached or Managed cluster, a client Job can access this service using:
CODE
cat > curl.yaml <<EOFapiVersion: batch/v1kind: Jobmetadata: name: curlspec: template: spec: containers: - name: curl image: curlimages/curl:7.76.0 command: ["curl", "--silent", "--show-error", "http://${service_endpoint}"] restartPolicy: Never backoffLimit: 4EOFkubectl apply -f curl.yamlkubectl wait --for=condition=complete job curlpodname=$(kubectl get pods --selector=job-name=curl --field-selector=status.phase=Succeeded -o jsonpath='{.items[0].metadata.name}')kubectl logs ${podname}The final command returns the default Nginx web page:
CODE
<!DOCTYPE html><html><head><title>Welcome to nginx!</title><style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; }</style></head><body><h1>Welcome to nginx!</h1><p>If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.</p><p>For online documentation and support please refer to<a href="http://nginx.org/">nginx.org</a>.<br/>Commercial support is available at<a href="http://nginx.com/">nginx.com</a>.</p><p><em>Thank you for using nginx.</em></p></body></html>Use of kubeconfig file
This is primarily useful for running kubectl commands on the Management cluster to monitor the network-restricted, Managed or Attached cluster.
On the Management cluster, a kubeconfig file for the Attached or Managed cluster configured to use the tunnel proxy is available as a Secret. The Secret’s name can be identified using:
CODE
kubeconfig_secret=$(kubectl get tunnelconnector -n ${namespace} ${connector} -o jsonpath='{.status.kubeconfigRef.name}')After setting service_namespace and service_name to the service resource, run this command on the Management cluster:
CODE
cat > get-service.yaml <<EOFapiVersion: batch/v1kind: Jobmetadata: name: get-servicespec: template: spec: containers: - name: kubectl image: bitnami/kubectl:1.19 command: ["kubectl", "get", "service", "-n", "${service_namespace}", "${service_name}"] env: - name: KUBECONFIG value: /tmp/kubeconfig/kubeconfig volumeMounts: - name: kubeconfig mountPath: /tmp/kubeconfig volumes: - name: kubeconfig secret: secretName: "${kubeconfig_secret}" restartPolicy: Never backoffLimit: 4EOFkubectl apply -n ${namespace} -f get-service.yamlkubectl wait --for=condition=complete --timeout=5m job -n ${namespace} get-servicepodname=$(kubectl get pods -n ${namespace} --selector=job-name=get-service --field-selector=status.phase=Succeeded -o jsonpath='{.items[0].metadata.name}')kubectl logs -n ${namespace} ${podname}Direct use of SOCKS5 proxy
To use the SOCKS5 proxy directly, obtain the SOCKS5 proxy endpoint using:
CODE
proxy_service=$(kubectl get tunnelconnector -n ${namespace} ${connector} -o jsonpath='{.status.tunnelServer.serviceRef.name}')socks_proxy=$(kubectl get service -n ${namespace} "${proxy_service}" -o jsonpath='{.spec.clusterIP}{":"}{.spec.ports[?(@.name=="proxy")].port}')Provide the value of ${socks_proxy} as the SOCKS5 proxy to your client.
For example, since curl supports SOCKS5 proxies, the Attached or Managed service started above can be accessed from the Management cluster by adding the SOCKS5 proxy to the curl command. After setting service_endpoint to the service endpoint, on the Management cluster run:
CODE
cat > curl.yaml <<EOFapiVersion: batch/v1kind: Jobmetadata: name: curlspec: template: spec: containers: - name: curl image: curlimages/curl:7.76.0 command: ["curl", "--silent", "--show-error", "--socks5-hostname", "${socks_proxy}", "http://${service_endpoint}"] restartPolicy: Never backoffLimit: 4EOFkubectl apply -f curl.yamlkubectl wait --for=condition=complete --timeout=5m job curlpodname=$(kubectl get pods --selector=job-name=curl --field-selector=status.phase=Succeeded -o jsonpath='{.items[0].metadata.name}')kubectl logs ${podname}The final command returns the same output as for the job on the Attached or Managed cluster, demonstrating that the job on the Management cluster accessed the service running on the Attached or Managed cluster.
Use of deployed proxy on Management cluster
To deploy a proxy on the Management cluster, obtain the SOCKS5 proxy endpoint using:
CODE
proxy_service=$(kubectl get tunnelconnector -n ${namespace} ${connector} -o jsonpath='{.status.tunnelServer.serviceRef.name}')socks_proxy=$(kubectl get service -n ${namespace} "${proxy_service}" -o jsonpath='{.spec.clusterIP}{":"}{.spec.ports[?(@.name=="proxy")].port}')Provide the value of ${socks_proxy} as the SOCKS5 proxy to a proxy deployed on the Management cluster. After setting service_endpoint to the service endpoint, on the Management cluster run:
CODE
cat > nginx-proxy.yaml <<EOFapiVersion: cert-manager.io/v1kind: Certificatemetadata: name: nginx-proxy-crtspec: secretName: nginx-proxy-crt-secret dnsNames: - nginx-proxy-service.${namespace}.svc.cluster.local issuerRef: group: cert-manager.io kind: ClusterIssuer name: kubernetes-ca---apiVersion: apps/v1kind: Deploymentmetadata: name: nginx-proxy labels: app: nginx-proxy-deploymentspec: replicas: 1 selector: matchLabels: app: nginx-proxy-app template: metadata: labels: app: nginx-proxy-app spec: containers: - name: nginx-proxy image: mesosphere/ghostunnel:v1.5.3-server-backend-proxy args: - "server" - "--listen=:443" - "--target=${service_endpoint}" - "--cert=/etc/certs/tls.crt" - "--key=/etc/certs/tls.key" - "--cacert=/etc/certs/ca.crt" - "--unsafe-target" - "--disable-authentication" env: - name: ALL_PROXY value: socks5://${socks_proxy} ports: - containerPort: 443 volumeMounts: - name: certs mountPath: /etc/certs volumes: - name: certs secret: secretName: nginx-proxy-crt-secret---apiVersion: v1kind: Servicemetadata: name: nginx-proxy-servicespec: selector: app: nginx-proxy-app type: ClusterIP ports: - targetPort: 443 port: 8765EOFkubectl apply -n ${namespace} -f nginx-proxy.yamlkubectl rollout status deploy -n ${namespace} nginx-proxyproxy_port=$(kubectl get service -n ${namespace} nginx-proxy-service -o jsonpath='{.spec.ports[0].port}')Any client running on the Management cluster can now access the service running on the Attached or Managed cluster using the proxy service endpoint. Note in the following that the curl job runs in the same namespace as the proxy, to provide access to the CA certificate secret.
CODE
cat > curl.yaml <<EOFapiVersion: batch/v1kind: Jobmetadata: name: curlspec: template: spec: containers: - name: curl image: curlimages/curl:7.76.0 command: - curl - --silent - --show-error - --cacert - /etc/certs/ca.crt - https://nginx-proxy-service.${namespace}.svc.cluster.local:${proxy_port} volumeMounts: - name: certs mountPath: /etc/certs volumes: - name: certs secret: secretName: nginx-proxy-crt-secret restartPolicy: Never backoffLimit: 4EOFkubectl apply -n ${namespace} -f curl.yamlkubectl wait --for=condition=complete --timeout=5m job -n ${namespace} curlpodname=$(kubectl get pods -n ${namespace} --selector=job-name=curl --field-selector=status.phase=Succeeded -o jsonpath='{.items[0].metadata.name}')kubectl logs -n ${namespace} ${podname}The final command returns the same output as the job on the Attached or Managed cluster, demonstrating that the job on the Management cluster accessed the service running on the network-restricted cluster.
Next Step:
Optional: If you want to manage the attached cluster from the Management cluster, enable proxied access.
For information on the TunnelGateway review the API documentation (v1alpha1).
