What is the alternative to kubernetes deprecated SSH tunnel feature?

6/25/2019

I want to setup a kubernetes cluster on an untrusted network. Therefore validating the node's serving certificate is not an option.

In the documentation it is written, that currently there is a replacement in development.

Does anyone know what this replacement will be and maybe where to contribute?

-- Christian M
kubernetes
ssh-tunnel

1 Answer

6/25/2019

Kubernetes master-to-cluster communication doesn’t get as much attention as the opposite direction, yet many critical features (kubectl proxy, logs, exec, …) rely on it to function. In order to support secure communications from Kube API Server running on the control network to nodes running on a cluster network, SSH Tunnels were developed. This technology complicates the API Server in a manner which is neither extensible nor popular. The new proposed gRPC based proxy service abstracts this complexity away from the API Server, while providing a greater degree of extensibility. In this talk, we will see how SSH tunnels are implemented right now, what the new proxy service looks like, and how it opens the door to future extensions for use cases like auditing and multi-network support KAS Proxy Service

We (SIG API MACHINERY,SIG NETWORKING and SIG CLOUD PROVIDER) are adding a configurable, extensible proxy service for connections outbound from the K8s API Server.

Here is the GitHub repo apiserver-network-proxy

Here is the K8s Enhancement Proposal -Network-proxy

-- Suresh Vishnoi
Source: StackOverflow