1

I'm interested if I can run k8s with publicly available control plane and worker nodes in network behind firewall (which is edge/iot deployment use-case). The main concern as I believe is communication between apiserver and kubelet/ kube-proxy. Can it be configured as only node -> master communication? How can I achieve this?

I could not find precisize info besides this short note in kubelet reference: HTTP endpoint: HTTP endpoint passed as a parameter on the command line. This endpoint is checked every 20 seconds (also configurable with a flag).

For kube-proxy I could not find any info.

I'm also new to golang so analyzing the k8s source code is for now beyond my skill. Any help appreciated :)

Piotr Kozimor
  • 11
  • 2

1 Answers1

2

Can it be configured as only node -> master communication? How can I achieve this?

I would guess only trying it will prove for sure that the apiserver doesn't need to contact kubelet. However, related to that: be aware that in such a setup, kubectl exec and kubectl logs will no longer function because those commands connect directly to port 10254 on the kubelet binary instead of sending all that traffic through the API server

As for kube-proxy, it appears it uses the in-cluster $KUBERNETES_SERVICE_HOST which will be the .1 IP of the Service CIDR and will use the software defined network to reach the apiserver. Although there are other configurations which volume mount a kubeconfig from the host, so I guess the ultimate answer will depend on how you installed your cluster.

mdaniel
  • 31,240
  • 5
  • 55
  • 58
  • Thak you! I did some tets and I was able to add node. The kube-proxy and calico pods were scheduled. The kubelete posts status of node to apiserver. However, the container runtime crashes because of some OS misconfiguration so I wasn't able to run any workloads on node added. Full answer will be soon :) – Piotr Kozimor Mar 08 '20 at 10:21