What is the konnectivity service for Kubernetes?

Question

I had seen official documentation: https://kubernetes.io/docs/tasks/setup-konnectivity/setup-konnectivity/ but I still failed to understand its meaning. I have few questions:

1. If the connectivity service provides TCP level proxy, so what does the proxy include?
2. If I used the service on a cluster, what will happen to My pods, services, quality for communication, speed for computing, or traffic? In other words, what does the service bring?

Answer 1

From the docs here

Motivation

Kubernetes has outgrown the SSH tunnels. They complicate KAS code and only one cloud provider implemented them. After a year of deprecation time, they will be removed in an upcoming release.

In retrospect, having an explicit level of indirection that separates user-initiated network traffic from API server-initiated traffic is a useful concept. Cloud providers want to control how API server to pod, node and service network traffic is implemented. Cloud providers may choose to run their API server (control network) and the cluster nodes (cluster network) on isolated networks. The control and cluster networks may have overlapping IP addresses. Therefore, they require a non IP routing layer (SSH tunnel are an example). Adding this layer enables metadata audit logging. It allows validation of outgoing API server connections. Structuring the API server in this way is a forcing function for keeping architectural layering violations out of apiserver. In combination with a firewall, this separation of networks protects against security concerns such as Security Impact of Kubernetes API server external IP address proxying.

Goals

Delete the SSH Tunnel/Node Dialer code from Kube APIServer. Enable admins to fix https://groups.google.com/d/msg/kubernetes-security-announce/tyd-MVR-tY4/tyREP9-qAwAJ. Allow isolation of the Control network from the Cluster network.

Konnectivity Server

The proxy server which runs in the master network. It has a secure channel established to the cluster network. It could work on either an HTTP Connect mechanism or gRPC. If the former it would use standard HTTP Connect. If the latter it would expose a gRPC interface to KAS to provide connectivity service. Formerly known the Network Proxy Server.

Konnectivity Agent

A proxy agent which runs in the node network for establishing the tunnel. Formerly known as the Network Proxy Agent.