Connecting GCP Kubernetes in private vpc and NAT

1/30/2019

I have created a new GCP Kubernetes cluster. The cluster is private with NAT - not have connection to the internet. I also deploy bastion machine which allow my to connect into my private network (vpc) from the internet. This is the tutorial I based on. SSH into bastion - working currently.

The kubernetes master is not exposed outside. The result:

$ kubectl get pods
  The connection to the server 172.16.0.2 was refused - did you specify the right host or port?

So i install kubectl on bastion and run:

$ kubectl proxy --port 1111
  Starting to serve on 127.0.0.1:3128

now I want to connect my local kubectl to the remote proxy server. I installed secured tunnel to the bastion server and mapped the remote port into the local port. Also tried it with CURL and it's working.

Now I looking for something like

$ kubectl --use-proxy=1111 get pods

(Make my local kubectl pass tru my remote proxy)

How to do it?

-- No1Lives4Ever
google-kubernetes-engine
kubectl
kubernetes

1 Answer

1/30/2019

kubectl proxy acts exactly as an apiserver, exactly like the target apiserver - but the queries trough it are already authenticated. From your description, 'works with curl', it sounds like you've set it up correctly, you just need to target the client kubectl to it:

kubectl --server=http://localhost:1111

(Where port 1111 on your local machine is where kubectl proxy is available; in your case trough a tunnel)

If you need exec or attach trough kubectl proxy you'll need to run it with either --disable-filter=true or --reject-paths='^

#x27;. Read the fine print and consequences for those options.

Safer way

All in all, this is not how I access clusters trough a bastion. The problem with above approach is if someone gains access to the bastion they immediately have valid Kubernetes credentials (as kubectl proxy needs those to function). It is also not the safest solution if the bastion is shared between multiple operators. One of the main points of a bastion would be that it never has credentials on it. What I fancy doing is accessing the bastion from my workstation with:

ssh -D 1080 bastion

That makes ssh act as SOCKS proxy. You need GatewayPorts yes in your sshd_config for this to work. Thereafter from the workstation I can use

HTTPS_PROXY=socks5://127.0.0.1:1080 kubectl get pod
-- Janos Lenart
Source: StackOverflow