Skip to content

Commit 798b5c9

Browse files
kvapsTim Bannister
kvaps
and
Tim Bannister
authored
Add missing steps to configure konnectivity-server (#24141)
* Add missing steps to configure konnectivity-server * Update content/en/docs/tasks/extend-kubernetes/setup-konnectivity.md Co-authored-by: Tim Bannister <[email protected]> * Update content/en/docs/tasks/extend-kubernetes/setup-konnectivity.md Co-authored-by: Tim Bannister <[email protected]> * Update content/en/docs/tasks/extend-kubernetes/setup-konnectivity.md Co-authored-by: Tim Bannister <[email protected]> * update konnectivity manifests * remove tcp configuration Co-authored-by: Tim Bannister <[email protected]>
1 parent 3bfab68 commit 798b5c9

File tree

4 files changed

+53
-24
lines changed

4 files changed

+53
-24
lines changed

content/en/docs/tasks/extend-kubernetes/setup-konnectivity.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,10 +24,35 @@ The following steps require an egress configuration, for example:
2424
You need to configure the API Server to use the Konnectivity service
2525
and direct the network traffic to the cluster nodes:
2626

27+
1. Make sure that
28+
the `ServiceAccountTokenVolumeProjection` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
29+
is enabled. You can enable
30+
[service account token volume protection](/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection)
31+
by providing the following flags to the kube-apiserver:
32+
```
33+
--service-account-issuer=api
34+
--service-account-signing-key-file=/etc/kubernetes/pki/sa.key
35+
--api-audiences=system:konnectivity-server
36+
```
2737
1. Create an egress configuration file such as `admin/konnectivity/egress-selector-configuration.yaml`.
2838
1. Set the `--egress-selector-config-file` flag of the API Server to the path of
2939
your API Server egress configuration file.
3040

41+
Generate or obtain a certificate and kubeconfig for konnectivity-server.
42+
For example, you can use the OpenSSL command line tool to issue a X.509 certificate,
43+
using the cluster CA certificate `/etc/kubernetes/pki/ca.crt` from a control-plane host.
44+
45+
```bash
46+
openssl req -subj "/CN=system:konnectivity-server" -new -newkey rsa:2048 -nodes -out konnectivity.csr -keyout konnectivity.key -out konnectivity.csr
47+
openssl x509 -req -in konnectivity.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out konnectivity.crt -days 375 -sha256
48+
SERVER=$(kubectl config view -o jsonpath='{.clusters..server}')
49+
kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config set-credentials system:konnectivity-server --client-certificate konnectivity.crt --client-key konnectivity.key --embed-certs=true
50+
kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config set-cluster kubernetes --server "$SERVER" --certificate-authority /etc/kubernetes/pki/ca.crt --embed-certs=true
51+
kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config set-context system:konnectivity-server@kubernetes --cluster kubernetes --user system:konnectivity-server
52+
kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config use-context system:konnectivity-server@kubernetes
53+
rm -f konnectivity.crt konnectivity.key konnectivity.csr
54+
```
55+
3156
Next, you need to deploy the Konnectivity server and agents.
3257
[kubernetes-sigs/apiserver-network-proxy](https://github.com/kubernetes-sigs/apiserver-network-proxy)
3358
is a reference implementation.

content/en/examples/admin/konnectivity/egress-selector-configuration.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,4 +18,4 @@ egressSelections:
1818
# The other supported transport is "tcp". You will need to set up TLS
1919
# config to secure the TCP transport.
2020
uds:
21-
udsName: /etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket
21+
udsName: /etc/kubernetes/konnectivity-server/konnectivity-server.socket

content/en/examples/admin/konnectivity/konnectivity-agent.yaml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ spec:
2222
- key: "CriticalAddonsOnly"
2323
operator: "Exists"
2424
containers:
25-
- image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.8
25+
- image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.12
2626
name: konnectivity-agent
2727
command: ["/proxy-agent"]
2828
args: [
@@ -32,14 +32,16 @@ spec:
3232
# this is the IP address of the master machine.
3333
"--proxy-server-host=35.225.206.7",
3434
"--proxy-server-port=8132",
35+
"--admin-server-port=8133",
36+
"--health-server-port=8134",
3537
"--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token"
3638
]
3739
volumeMounts:
3840
- mountPath: /var/run/secrets/tokens
3941
name: konnectivity-agent-token
4042
livenessProbe:
4143
httpGet:
42-
port: 8093
44+
port: 8134
4345
path: /healthz
4446
initialDelaySeconds: 15
4547
timeoutSeconds: 15

content/en/examples/admin/konnectivity/konnectivity-server.yaml

Lines changed: 23 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -8,34 +8,33 @@ spec:
88
hostNetwork: true
99
containers:
1010
- name: konnectivity-server-container
11-
image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-server:v0.0.8
11+
image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-server:v0.0.12
1212
command: ["/proxy-server"]
1313
args: [
14-
"--log-file=/var/log/konnectivity-server.log",
15-
"--logtostderr=false",
16-
"--log-file-max-size=0",
14+
"--logtostderr=true",
1715
# This needs to be consistent with the value set in egressSelectorConfiguration.
18-
"--uds-name=/etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket",
16+
"--uds-name=/etc/kubernetes/konnectivity-server/konnectivity-server.socket",
1917
# The following two lines assume the Konnectivity server is
2018
# deployed on the same machine as the apiserver, and the certs and
2119
# key of the API Server are at the specified location.
22-
"--cluster-cert=/etc/srv/kubernetes/pki/apiserver.crt",
23-
"--cluster-key=/etc/srv/kubernetes/pki/apiserver.key",
20+
"--cluster-cert=/etc/kubernetes/pki/apiserver.crt",
21+
"--cluster-key=/etc/kubernetes/pki/apiserver.key",
2422
# This needs to be consistent with the value set in egressSelectorConfiguration.
2523
"--mode=grpc",
2624
"--server-port=0",
2725
"--agent-port=8132",
2826
"--admin-port=8133",
27+
"--health-port=8134",
2928
"--agent-namespace=kube-system",
3029
"--agent-service-account=konnectivity-agent",
31-
"--kubeconfig=/etc/srv/kubernetes/konnectivity-server/kubeconfig",
30+
"--kubeconfig=/etc/kubernetes/konnectivity-server.conf",
3231
"--authentication-audience=system:konnectivity-server"
3332
]
3433
livenessProbe:
3534
httpGet:
3635
scheme: HTTP
3736
host: 127.0.0.1
38-
port: 8133
37+
port: 8134
3938
path: /healthz
4039
initialDelaySeconds: 30
4140
timeoutSeconds: 60
@@ -46,25 +45,28 @@ spec:
4645
- name: adminport
4746
containerPort: 8133
4847
hostPort: 8133
48+
- name: healthport
49+
containerPort: 8134
50+
hostPort: 8134
4951
volumeMounts:
50-
- name: varlogkonnectivityserver
51-
mountPath: /var/log/konnectivity-server.log
52-
readOnly: false
53-
- name: pki
54-
mountPath: /etc/srv/kubernetes/pki
52+
- name: k8s-certs
53+
mountPath: /etc/kubernetes/pki
54+
readOnly: true
55+
- name: kubeconfig
56+
mountPath: /etc/kubernetes/konnectivity-server.conf
5557
readOnly: true
5658
- name: konnectivity-uds
57-
mountPath: /etc/srv/kubernetes/konnectivity-server
59+
mountPath: /etc/kubernetes/konnectivity-server
5860
readOnly: false
5961
volumes:
60-
- name: varlogkonnectivityserver
62+
- name: k8s-certs
6163
hostPath:
62-
path: /var/log/konnectivity-server.log
63-
type: FileOrCreate
64-
- name: pki
64+
path: /etc/kubernetes/pki
65+
- name: kubeconfig
6566
hostPath:
66-
path: /etc/srv/kubernetes/pki
67+
path: /etc/kubernetes/konnectivity-server.conf
68+
type: FileOrCreate
6769
- name: konnectivity-uds
6870
hostPath:
69-
path: /etc/srv/kubernetes/konnectivity-server
71+
path: /etc/kubernetes/konnectivity-server
7072
type: DirectoryOrCreate

0 commit comments

Comments
 (0)