Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the konnectivity service for Kubernetes?

Tags:

kubernetes

I had seen official documentation: https://kubernetes.io/docs/tasks/setup-konnectivity/setup-konnectivity/ but I still failed to understand its meaning. I have few questions:

  1. If the connectivity service provides TCP level proxy, so what does the proxy include?
  2. If I used the service on a cluster, what will happen to My pods, services, quality for communication, speed for computing, or traffic? In other words, what does the service bring?
like image 567
zhangqichuan Avatar asked May 10 '20 03:05

zhangqichuan

People also ask

What is a Kubernetes service used for?

A Kubernetes service is a logical abstraction for a deployed group of pods in a cluster (which all perform the same function). Since pods are ephemeral, a service enables a group of pods, which provide specific functions (web services, image processing, etc.) to be assigned a name and unique IP address (clusterIP).

What is proxy service in Kubernetes?

kube-proxy is a network proxy that runs on each node in your cluster, implementing part of the Kubernetes Service concept. kube-proxy maintains network rules on nodes. These network rules allow network communication to your Pods from network sessions inside or outside of your cluster.

1 Answers

From the docs here

Motivation

Kubernetes has outgrown the SSH tunnels. They complicate KAS code and only one cloud provider implemented them. After a year of deprecation time, they will be removed in an upcoming release.

In retrospect, having an explicit level of indirection that separates user-initiated network traffic from API server-initiated traffic is a useful concept. Cloud providers want to control how API server to pod, node and service network traffic is implemented. Cloud providers may choose to run their API server (control network) and the cluster nodes (cluster network) on isolated networks. The control and cluster networks may have overlapping IP addresses. Therefore, they require a non IP routing layer (SSH tunnel are an example). Adding this layer enables metadata audit logging. It allows validation of outgoing API server connections. Structuring the API server in this way is a forcing function for keeping architectural layering violations out of apiserver. In combination with a firewall, this separation of networks protects against security concerns such as Security Impact of Kubernetes API server external IP address proxying.

Goals

Delete the SSH Tunnel/Node Dialer code from Kube APIServer. Enable admins to fix https://groups.google.com/d/msg/kubernetes-security-announce/tyd-MVR-tY4/tyREP9-qAwAJ. Allow isolation of the Control network from the Cluster network.

Konnectivity Server

The proxy server which runs in the master network. It has a secure channel established to the cluster network. It could work on either an HTTP Connect mechanism or gRPC. If the former it would use standard HTTP Connect. If the latter it would expose a gRPC interface to KAS to provide connectivity service. Formerly known the Network Proxy Server.

Konnectivity Agent

A proxy agent which runs in the node network for establishing the tunnel. Formerly known as the Network Proxy Agent. enter image description here

like image 64
Arghya Sadhu Avatar answered Nov 04 '22 06:11

Arghya Sadhu
Sign in to Comment

Related questions

How to fix 'container runtime is down,PLEG is not healthy'
Kubernetes Node NotReady: ContainerGCFailed / ImageGCFailed context deadline exceeded
Kubernetes - How to read logs that are written to files in pods instead of stdout/stderr?
How to expose Kubernetes DNS externally
Mistakenly updated configmap aws-auth with rbac & lost access to the cluster
Use a single volume to mount multiple files from secrets or configmaps
Rendered manifests contain a resource that already exists. Could not get information about the resource: resource name may not be empty
Entity Framework Core leaving many connections in sleeping status
Kubectl: Kubernetes with minikube times out
How to add websocket support to an ingress resource in Kubernetes on IBM Bluemix?
Kubernetes1.9.0 kubeadm init - crictl not found in system path
Kubernetes deployment without a port
Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden
How to filter pods in kubernetes dashboard using labels?
How to specify a prefix to a service exposed with an ingress
How to access Kubernetes Dashboard from outside network
kubernetes deployment- container not starting- error- InvalidImageName
kubernetes: Failed to update endpoints warning
How to redirect HTTP to HTTPS with Nginx Ingress Controller, AWS NLB and TLS certificate managed by AWS Certificate Manager?
Jenkins sh script hangs when run in specific container

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!