Set up Konnectivity service

    You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using .

    Configure the Konnectivity service

    The following steps require an egress configuration, for example:

    1. Make sure that Service Account Token Volume Projection feature enabled in your cluster. It is enabled by default since Kubernetes v1.20.
    2. Create an egress configuration file such as .
    3. Set the --egress-selector-config-file flag of the API Server to the path of your API Server egress configuration file.

    4. If you use UDS connection, add volumes config to the kube-apiserver:

      1. spec:
      2.   containers:
      3.     volumeMounts:
      4.     - name: konnectivity-uds
      5.       mountPath: /etc/kubernetes/konnectivity-server
      6.       readOnly: false
      7.   volumes:
      8.   - name: konnectivity-uds
      9.     hostPath:
      10.       path: /etc/kubernetes/konnectivity-server
      11.       type: DirectoryOrCreate

    Generate or obtain a certificate and kubeconfig for konnectivity-server. For example, you can use the OpenSSL command line tool to issue a X.509 certificate, using the cluster CA certificate /etc/kubernetes/pki/ca.crt from a control-plane host.

    Next, you need to deploy the Konnectivity server and agents. is a reference implementation.

    admin/konnectivity/konnectivity-server.yaml Set up Konnectivity service - 图2

    1. apiVersion: v1
    2. kind: Pod
    3. metadata:
    4.   name: konnectivity-server
    5.   namespace: kube-system
    6. spec:
    7.   priorityClassName: system-cluster-critical
    8.   hostNetwork: true
    9.   containers:
    10.   - name: konnectivity-server-container
    11.     image: registry.k8s.io/kas-network-proxy/proxy-server:v0.0.37
    12.     command: ["/proxy-server"]
    13.     args: [
    14.             "--logtostderr=true",
    15.             # This needs to be consistent with the value set in egressSelectorConfiguration.
    16.             "--uds-name=/etc/kubernetes/konnectivity-server/konnectivity-server.socket",
    17.             "--delete-existing-uds-file",
    18.             # The following two lines assume the Konnectivity server is
    19.             # deployed on the same machine as the apiserver, and the certs and
    20.             # key of the API Server are at the specified location.
    21.             "--cluster-key=/etc/kubernetes/pki/apiserver.key",
    23.             "--mode=grpc",
    24.             "--server-port=0",
    25.             "--agent-port=8132",
    26.             "--admin-port=8133",
    27.             "--health-port=8134",
    28.             "--agent-namespace=kube-system",
    29.             "--agent-service-account=konnectivity-agent",
    30.             "--kubeconfig=/etc/kubernetes/konnectivity-server.conf",
    31.             "--authentication-audience=system:konnectivity-server"
    32.             ]
    33.     livenessProbe:
    34.       httpGet:
    35.         scheme: HTTP
    36.         host: 127.0.0.1
    37.         port: 8134
    38.         path: /healthz
    39.       initialDelaySeconds: 30
    40.       timeoutSeconds: 60
    41.     ports:
    42.     - name: agentport
    43.       containerPort: 8132
    44.       hostPort: 8132
    45.     - name: adminport
    46.       containerPort: 8133
    47.       hostPort: 8133
    48.     - name: healthport
    49.       containerPort: 8134
    50.       hostPort: 8134
    51.     volumeMounts:
    52.     - name: k8s-certs
    53.       mountPath: /etc/kubernetes/pki
    54.       readOnly: true
    55.     - name: kubeconfig
    56.       mountPath: /etc/kubernetes/konnectivity-server.conf
    57.       readOnly: true
    59.       readOnly: false
    60.   volumes:
    61.   - name: k8s-certs
    62.     hostPath:
    63.       path: /etc/kubernetes/pki
    64.   - name: kubeconfig
    65.     hostPath:
    66.       path: /etc/kubernetes/konnectivity-server.conf
    67.       type: FileOrCreate
    68.   - name: konnectivity-uds
    69.     hostPath:
    70.       path: /etc/kubernetes/konnectivity-server
    71.       type: DirectoryOrCreate

    Then deploy the Konnectivity agents in your cluster:

    admin/konnectivity/konnectivity-rbac.yaml Set up Konnectivity service - 图4

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. kind: ClusterRoleBinding
    3. metadata:
    4.   name: system:konnectivity-server
    5.   labels:
    6.     kubernetes.io/cluster-service: "true"
    7.     addonmanager.kubernetes.io/mode: Reconcile
    8. roleRef:
    9.   apiGroup: rbac.authorization.k8s.io
    10.   kind: ClusterRole
    11.   name: system:auth-delegator
    12. subjects:
    13.   - apiGroup: rbac.authorization.k8s.io
    14.     kind: User
    15.     name: system:konnectivity-server
    16. ---
    17. apiVersion: v1
    18. kind: ServiceAccount
    19. metadata:
    20.   name: konnectivity-agent
    21.   namespace: kube-system
    22.   labels:
    23.     kubernetes.io/cluster-service: "true"