From the docs here

Motivation

Kubernetes has outgrown the SSH tunnels. They complicate KAS code and only one cloud provider implemented them. After a year of deprecation time, they will be removed in an upcoming release.

In retrospect, having an explicit level of indirection that separates user-initiated network traffic from API server-initiated traffic is a useful concept. Cloud providers want to control how API server to pod, node and service network traffic is implemented. Cloud providers may choose to run their API server (control network) and the cluster nodes (cluster network) on isolated networks. The control and cluster networks may have overlapping IP addresses. There for they require a non IP routing layer (SSH tunnel are an example). Adding this layer enables metadata audit logging. It allows validation of outgoing API server connections. Structuring the API server in this way is a forcing function for keeping architectural layering violations out of apiserver. In combination with a firewall, this separation of networks protects against security concerns such as Security Impact of Kubernetes API server external IP address proxying.

Goals

Delete the SSH Tunnel/Node Dialer code from Kube APIServer. Enable admins to fix https://groups.google.com/d/msg/kubernetes-security-announce/tyd-MVR-tY4/tyREP9-qAwAJ. Allow isolation of the Control network from the Cluster network.

Konnectivity Server

The proxy server which runs in the master network. It has a secure channel established to the cluster network. It could work on either a HTTP Connect mechanism or gRPC. If the former it would exposes a gRPC interface to KAS to provide connectivity service. If the latter it would use standard HTTP Connect. Formerly known the the Network Proxy Server.

Konnectivity Agent

A proxy agent which runs in the node network for establishing the tunnel. Formerly known as the Network Proxy Agent.