document how to run konnectivity server in kind

aojea · aojea · commit fae2064c27b9 · 2024-01-12T22:44:48.000Z
diff --git a/examples/kind/README.md b/examples/kind/README.md
@@ -0,0 +1,51 @@
+# Use apiserver-network-proxy with KIND
+
+
+Change to the `examples/kind` folder and create a `kind` cluster with the `kind.config` file
+
+```sh
+$ kind create cluster --config kind.config
+Creating cluster "kind" ...
+DEBUG: docker/images.go:58] Image: kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72 present locally
+ ✓ Ensuring node image (kindest/node:v1.27.3) 🖼
+⠎⠁ Preparing nodes 📦 📦 📦
+
+This node has joined the cluster:
+* Certificate signing request was sent to apiserver and a response was received.
+* The Kubelet was informed of the new secure connection details.
+
+Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
+ ✓ Joining worker nodes 🚜
+Set kubectl context to "kind-kind"
+You can now use your cluster with:
+
+kubectl cluster-info --context kind-kind
+
+Have a nice day! 👋
+```
+
+Once the cluster is ready install the `apiserver-network-proxy` components:
+
+```sh
+$ kubectl apply -f konnectivity-server.yaml
+clusterrolebinding.rbac.authorization.k8s.io/system:konnectivity-server created
+daemonset.apps/konnectivity-server created
+
+$ kubectl apply -f konnectivity-agent-ds.yaml
+serviceaccount/konnectivity-agent created
+```
+
+To validate that it works, run a custom image and try to exec into the pod (it goes through the konnectivity proxy):
+```sh
+$ kubectl run test --image httpd:2
+pod/test created
+$ kubectl get pods
+NAME   READY   STATUS              RESTARTS   AGE
+test   0/1     ContainerCreating   0          4s
+$ kubectl get pods
+NAME   READY   STATUS    RESTARTS   AGE
+test   1/1     Running   0          6s
+$ kubectl exec -it test bash
+kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
+```
+
diff --git a/examples/kind/egress_selector_configuration.yaml b/examples/kind/egress_selector_configuration.yaml
@@ -0,0 +1,15 @@
+apiVersion: apiserver.k8s.io/v1beta1
+kind: EgressSelectorConfiguration
+egressSelections:
+- name: cluster
+  connection:
+    proxyProtocol: GRPC
+    transport:
+      uds:
+        udsName: /etc/kubernetes/konnectivity-server/konnectivity-server.socket
+- name: master
+  connection:
+    proxyProtocol: Direct
+- name: etcd
+  connection:
+    proxyProtocol: Direct
diff --git a/examples/kind/kind.config b/examples/kind/kind.config
@@ -0,0 +1,32 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+networking:
+  ipFamily: ipv4
+nodes:
+- role: control-plane
+  kubeadmConfigPatchesJSON6902:
+  - kind: ClusterConfiguration
+    patch: |
+      - op: add
+        path: /apiServer/certSANs/-
+        value: konnectivity-server.kube-system.svc.cluster.local
+  kubeadmConfigPatches:
+  - |
+    kind: ClusterConfiguration
+    apiServer:
+      extraArgs:
+        "egress-selector-config-file": "/etc/kubernetes/konnectivity-server-config/egress_selector_configuration.yaml"
+      extraVolumes:
+      - name: egress-selector-config-file
+        hostPath: "/etc/kubernetes/konnectivity-server-config/egress_selector_configuration.yaml"
+        mountPath: "/etc/kubernetes/konnectivity-server-config/egress_selector_configuration.yaml"
+        readOnly: true
+      - name: konnectivity-server
+        hostPath: "/etc/kubernetes/konnectivity-server"
+        mountPath: "/etc/kubernetes/konnectivity-server"
+        readOnly: true
+  extraMounts:
+  - hostPath: ./egress_selector_configuration.yaml
+    containerPath: /etc/kubernetes/konnectivity-server-config/egress_selector_configuration.yaml
+- role: worker
+- role: worker
diff --git a/examples/kind/konnectivity-agent-ds.yaml b/examples/kind/konnectivity-agent-ds.yaml
@@ -0,0 +1,87 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: konnectivity-agent
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    k8s-app: konnectivity-agent
+  namespace: kube-system
+  name: konnectivity-agent
+spec:
+  selector:
+    matchLabels:
+      k8s-app: konnectivity-agent
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        k8s-app: konnectivity-agent
+    spec:
+      priorityClassName: system-cluster-critical
+      tolerations:
+        - key: "CriticalAddonsOnly"
+          operator: "Exists"
+        - operator: "Exists"
+          effect: "NoExecute"
+      nodeSelector:
+        kubernetes.io/os: linux
+      dnsPolicy: ClusterFirstWithHostNet
+      containers:
+      - name: konnectivity-agent-container
+        image: gcr.io/k8s-staging-kas-network-proxy/proxy-agent:master
+        resources:
+          requests:
+            cpu: 50m
+          limits:
+            memory: 30Mi
+        command: [ "/proxy-agent"]
+        args: [
+          "--logtostderr=true",
+          "--ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
+          "--proxy-server-host=konnectivity-server.kube-system.svc.cluster.local",
+          "--proxy-server-port=8091",
+          "--sync-interval=5s",
+          "--sync-interval-cap=30s",
+          "--probe-interval=5s",
+          "--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token",
+          "--agent-identifiers=ipv4=$(HOST_IP)"
+          ]
+        env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.hostIP
+        livenessProbe:
+          httpGet:
+            scheme: HTTP
+            port: 8093
+            path: /healthz
+          initialDelaySeconds: 15
+          timeoutSeconds: 15
+        volumeMounts:
+          - mountPath: /var/run/secrets/tokens
+            name: konnectivity-agent-token
+      serviceAccountName: konnectivity-agent
+      volumes:
+      - name: konnectivity-agent-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: konnectivity-agent-token
+              audience: system:konnectivity-server
diff --git a/examples/kind/konnectivity-server.yaml b/examples/kind/konnectivity-server.yaml
@@ -0,0 +1,122 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:konnectivity-server
+  labels:
+    kubernetes.io/cluster-service: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: system:konnectivity-server
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: konnectivity-server
+  namespace: kube-system
+spec:
+  selector:
+    k8s-app: konnectivity-server
+  clusterIP: None
+  ports:
+    - protocol: TCP
+      port: 8091
+      targetPort: 8091
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    k8s-app: konnectivity-server
+  namespace: kube-system
+  name: konnectivity-server
+spec:
+  selector:
+    matchLabels:
+      k8s-app: konnectivity-server
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        k8s-app: konnectivity-server
+    spec:
+      priorityClassName: system-cluster-critical
+      tolerations:
+        - key: "CriticalAddonsOnly"
+          operator: "Exists"
+        - operator: "Exists"
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      hostNetwork: true
+      containers:
+      - name: konnectivity-server-container
+        image: gcr.io/k8s-staging-kas-network-proxy/proxy-server:master
+        resources:
+          requests:
+            cpu: 1m
+        command: [ "/proxy-server"]
+        args: [
+          "--log-file=/var/log/konnectivity-server.log",
+          "--logtostderr=true",
+          "--log-file-max-size=0",
+          "--uds-name=/etc/kubernetes/konnectivity-server/konnectivity-server.socket",
+          "--cluster-cert=/etc/kubernetes/pki/apiserver.crt",
+          "--cluster-key=/etc/kubernetes/pki/apiserver.key",
+          "--server-port=0",
+          "--agent-port=8091",
+          "--health-port=8092",
+          "--admin-port=8093",
+          "--keepalive-time=1h",
+          "--mode=grpc",
+          "--agent-namespace=kube-system",
+          "--agent-service-account=konnectivity-agent",
+          "--kubeconfig=/etc/kubernetes/admin.conf",
+          "--authentication-audience=system:konnectivity-server",
+          ]
+        livenessProbe:
+          httpGet:
+            scheme: HTTP
+            host: 127.0.0.1
+            port: 8092
+            path: /healthz
+          initialDelaySeconds: 10
+          timeoutSeconds: 60
+        ports:
+        - name: serverport
+          containerPort: 8090
+          hostPort: 8090
+        - name: agentport
+          containerPort: 8091
+          hostPort: 8091
+        - name: healthport
+          containerPort: 8092
+          hostPort: 8092
+        - name: adminport
+          containerPort: 8093
+          hostPort: 8093
+        volumeMounts:
+        - name: varlogkonnectivityserver
+          mountPath: /var/log/konnectivity-server.log
+          readOnly: false
+        - name: kubernetes
+          mountPath: /etc/kubernetes
+          readOnly: true
+        - name: konnectivity-home
+          mountPath: /etc/kubernetes/konnectivity-server
+      volumes:
+      - name: varlogkonnectivityserver
+        hostPath:
+          path: /var/log/konnectivity-server.log
+          type: FileOrCreate
+      - name: kubernetes
+        hostPath:
+          path: /etc/kubernetes
+      - name: konnectivity-home
+        hostPath:
+          path: /etc/kubernetes/konnectivity-server
+          type: DirectoryOrCreate
