Set up Konnectivity service

    You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube.

    Configure the Konnectivity service

    The following steps require an egress configuration, for example:

    admin/konnectivity/egress-selector-configuration.yaml

    1. Make sure that feature enabled in your cluster. It is enabled by default since Kubernetes v1.20.
    2. Create an egress configuration file such as .
    3. Set the --egress-selector-config-file flag of the API Server to the path of your API Server egress configuration file.

    4. If you use UDS connection, add volumes config to the kube-apiserver:

      1. spec:
      2.   containers:
      3.     volumeMounts:
      4.     - name: konnectivity-uds
      5.       mountPath: /etc/kubernetes/konnectivity-server
      6.       readOnly: false
      7.   volumes:
      8.   - name: konnectivity-uds
      9.     hostPath:
      10.       path: /etc/kubernetes/konnectivity-server
      11.       type: DirectoryOrCreate

    Generate or obtain a certificate and kubeconfig for konnectivity-server. For example, you can use the OpenSSL command line tool to issue a X.509 certificate, using the cluster CA certificate /etc/kubernetes/pki/ca.crt from a control-plane host.

    Next, you need to deploy the Konnectivity server and agents. kubernetes-sigs/apiserver-network-proxy is a reference implementation.

    Set up Konnectivity service - 图2

    1. apiVersion: v1
    2. kind: Pod
    3. metadata:
    4.   name: konnectivity-server
    5.   namespace: kube-system
    6. spec:
    7.   priorityClassName: system-cluster-critical
    8.   hostNetwork: true
    9.   containers:
    10.   - name: konnectivity-server-container
    11.     image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-server:v0.0.16
    12.     command: ["/proxy-server"]
    13.     args: [
    14.             "--logtostderr=true",
    15.             # This needs to be consistent with the value set in egressSelectorConfiguration.
    16.             "--uds-name=/etc/kubernetes/konnectivity-server/konnectivity-server.socket",
    17.             # The following two lines assume the Konnectivity server is
    18.             # deployed on the same machine as the apiserver, and the certs and
    19.             # key of the API Server are at the specified location.
    20.             "--cluster-cert=/etc/kubernetes/pki/apiserver.crt",
    21.             # This needs to be consistent with the value set in egressSelectorConfiguration.
    23.             "--server-port=0",
    24.             "--agent-port=8132",
    25.             "--admin-port=8133",
    26.             "--health-port=8134",
    27.             "--agent-namespace=kube-system",
    28.             "--agent-service-account=konnectivity-agent",
    29.             "--kubeconfig=/etc/kubernetes/konnectivity-server.conf",
    30.             "--authentication-audience=system:konnectivity-server"
    31.             ]
    32.     livenessProbe:
    33.       httpGet:
    34.         scheme: HTTP
    35.         host: 127.0.0.1
    36.         port: 8134
    37.         path: /healthz
    38.       initialDelaySeconds: 30
    39.       timeoutSeconds: 60
    40.     ports:
    41.     - name: agentport
    42.       containerPort: 8132
    43.       hostPort: 8132
    44.     - name: adminport
    45.       containerPort: 8133
    46.       hostPort: 8133
    47.     - name: healthport
    48.       containerPort: 8134
    49.       hostPort: 8134
    50.     volumeMounts:
    51.     - name: k8s-certs
    52.       mountPath: /etc/kubernetes/pki
    53.       readOnly: true
    54.     - name: kubeconfig
    55.       mountPath: /etc/kubernetes/konnectivity-server.conf
    56.       readOnly: true
    57.     - name: konnectivity-uds
    59.   volumes:
    60.   - name: k8s-certs
    61.     hostPath:
    62.       path: /etc/kubernetes/pki
    63.   - name: kubeconfig
    64.     hostPath:
    65.       path: /etc/kubernetes/konnectivity-server.conf
    66.       type: FileOrCreate
    67.   - name: konnectivity-uds
    68.     hostPath:
    69.       path: /etc/kubernetes/konnectivity-server
    70.       type: DirectoryOrCreate

    Then deploy the Konnectivity agents in your cluster:

    admin/konnectivity/konnectivity-agent.yaml

    Set up Konnectivity service - 图4

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. kind: ClusterRoleBinding
    3. metadata:
    4.   name: system:konnectivity-server
    5.   labels:
    6.     kubernetes.io/cluster-service: "true"
    7.     addonmanager.kubernetes.io/mode: Reconcile
    8. roleRef:
    9.   apiGroup: rbac.authorization.k8s.io
    10.   kind: ClusterRole
    11.   name: system:auth-delegator
    12. subjects:
    13.   - apiGroup: rbac.authorization.k8s.io
    14.     kind: User
    15.     name: system:konnectivity-server
    16. ---
    17. apiVersion: v1
    18. kind: ServiceAccount
    19. metadata:
    20.   name: konnectivity-agent
    21.   namespace: kube-system
    22.   labels:
    23.     kubernetes.io/cluster-service: "true"
    24.     addonmanager.kubernetes.io/mode: Reconcile