K
Q

Minikube services access local VPN

9/12/2019

How do I give my pod or minikube the ability to see the 10.x network my laptop is VPN'd onto?

Setup: * minikube * php containers

php code accesses a private repository, 10.x address. Things are find locally, but I cannot access this same 10.x address while in a pod.

How can I give my pods/minikube access to my VPN route?

my-pod-99dc9d9d4-6thdj# 
my-pod-99dc9d9d4-6thdj# wget https://private.network.host.com/
Connecting to private.network.host.com (10.x.x.x:443)
^C
my-pod-99dc9d9d4-6thdj#

(sanitized, obviously)

PS: I did find ONE post that mentions what I'm after, but I can't seem to get it to work: How to connect to a private IP from Kubernetes Pod

Still can't access the private ip (through my host's vpn).

-- guice
kubernetes
minikube
vpn

Similar Questions

equivalent to `kubectl delete pods --all -n namespace` in helm
How to run a Spark Standalone master on Kubernetes that will use the Kubernetes Cluser Manager to start workers
Creating an openshift cluster aws failure
How to tell helm to not create/change resource if it already exists?

1 Answer

9/13/2019

There are a few ways you could achieve this.

If you only want to expose a few services into minikube from the VPN, then you could exploit SSH's reverse tunnelling, as described in this article; Proxying services into minikube. This would present the services as ports on the minikube VM, so acting like a nodePort essentially, and then SSH would tunnel these out and the host would route them through the VPN for you.

However if you genuinely need access to the entire network behind the VPN, then you will need to use a different approach. The following assumes you're VPN is configured as a split tunnel, that it's using NAT, and isn't using conflicting IP ranges.

The easiest option would be to run the VPN client inside minikube, thus providing first class access to the VPN and network, and not needing any routing to be set up. The other option is to set up the routing yourself in order to reach the VPN on the host computer. This would mean ensuring the following are covered:

  1. host route for the pod network; sudo ip route add $REPLACE_WITH_POD_NETWORK} via $(minikube ip) e.g. for my case this was sudo ip route add 10.0.2.0/24 via 192.168.99.119
  2. ping from host to pod network address (you'll have to look this up with kubectl, e.g. kubectl get pod -n kube-system kube-apiserver-minikube -o yaml)

This should work because the networking/routing in the pod/service/kubelet is handled by the default route, which covers everything. Then when the traffic hits the host, the VPN and any networks it has exposed will have corresponding routes, the host will know to route it to the VPN, and NAT it to take care of the return path. When traffic returns it will hit your host because of the NAT'ing, it will lookup the route table, see the entry you added earlier, and forward the traffic to minikube, and then to the pod/service, voila!

Hope this helps.

-- cewood
Source: StackOverflow