can the apiserver connect to the Kubelet port of a node through CNI-provided network?

Question

The sleeve mode of Weave Net allows adding nodes behind NAT to the mesh, e.g. machines in a company network without external IP.

When Weave Net is used with Kubernetes, such nodes can be added to the cluster. The only drawback (besides the performance compared to fastdp) seems to be that the Kubernetes API server can't reach the Kubelet port, so attaching to a Pod or getting logs doesn't work.

Is it somehow possible to work around this issue, e.g. by connecting to the Kubelet port of a NATed node through the weave network instead?

Answer 1

Taking under consideration how kubectl exec works and looking at Weave Net documentation makes it impossible to fix the cluster connectivity problem with Weave CNI.

Weave uses the underlying network for sending a packet to the node. I can't find any information saying that it is allowed to put the cluster node behind the NAT. More details can be found here

Therefore it is impossible to work around this issue as you suggested.

I hope it helps.