Using port-forward too often? KubeVPN Can help!
Introduction
If you’ve worked with building or deploying anything on Kubernetes then you must have had the need to connect to a service running on a remote kubernetes cluster from your local system. This is often needed for debugging and testing. kubectl port-forward is the standard method used to do that.
At KubeNine we work a lot on Kubernetes for our products as well as for our customers.
KubeVPN allows you to connect your local machine to a Kubernetes cluster securely. It almost makes you feel like the kubernetes pods and services are running on your local system although they are not.
What is KubeVPN?
KubeVPN is a cloud-native development environment tool that connects your local machine directly to a Kubernetes cluster network. This connection allows developers to access cluster services using service names or Pod IPs. By establishing a secure VPN tunnel, KubeVPN enables bidirectional traffic control, allowing specific traffic to be routed between local and cloud environments.
Core Features
Direct Cluster Networking
With a simple command, developers can instantly access Kubernetes cluster services:
kubevpn connect This command provides:
- Pod IP Connectivity: Communicate with pods using their IP addresses.
- Native Kubernetes DNS Resolution: Resolve service names as if operating within the cluster.
Example - Curl Kubernetes service from local
➜ ~ kubectl get services -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
authors ClusterIP 172.21.5.160 <none> 9080/TCP 114d app=authors
details ClusterIP 172.21.6.183 <none> 9080/TCP 114d app=details
kubernetes ClusterIP 172.21.0.1 <none> 443/TCP 319d <none>
kubevpn-traffic-manager ClusterIP 172.21.2.86 <none> 8422/UDP,10800/TCP,9002/TCP,80/TCP 2m28s app=kubevpn-traffic-manager
productpage ClusterIP 172.21.10.49 <none> 9080/TCP Ping service directly
curl productpage:9080This command allows direct access to the productpage service within the cluster.
Example - Ping Pod by IP from local machine
~ kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
authors-dbb57d856-mbgqk 3/3 Running 0 7d23h 172.29.2.132 192.168.0.5 <none> <none>
details-7d8b5f6bcf-hcl4t 1/1 Running 0 61d 172.29.0.77 192.168.104.255 <none> <none>
kubevpn-traffic-manager-66d969fd45-9zlbp 3/3 Running 0 74s 172.29.2.136 192.168.0.5 <none> <none>
productpage-788df7ff7f-jpkcs 1/1 Running 0 61d 172.29.2.134 192.168.0.5 <none> <none>➜ ~ ping 172.29.2.134
PING 172.29.2.134 (172.29.2.134): 56 data bytes
64 bytes from 172.29.2.134: icmp_seq=0 ttl=63 time=55.727 ms
64 bytes from 172.29.2.134: icmp_seq=1 ttl=63 time=56.270 ms
64 bytes from 172.29.2.134: icmp_seq=2 ttl=63 time=55.228 ms
64 bytes from 172.29.2.134: icmp_seq=3 ttl=63 time=54.293 ms
^CRoute Traffic from Cluster to local Machine
The beauty of KubeVPN doesn’t just end there. It allows you to route traffic from a service running on your Kubernetes cluster to a service running on your local. Sounds confusing?
Imagine a scenario where you want to debug an application running on your cluster where you are finding some issues. You wished if you could get the traffic handled from your local machine with a lot of verbosity enabled - now you can do that.
KubeVPN enables precise routing based on header conditions:
kubevpn proxy deployment/productpage --headers user=dev-team In this setup:
- Requests with
user=dev-teamHTTP Header: Routed to the local service running on your laptop for testing or debugging. - Other Requests: Handled by the original cluster service, ensuring uninterrupted service for end-users.
This feature allows developers to test specific scenarios locally without affecting the broader user base.
PRO Tip: Avoid using this in production. But aren’t we all guilty of testing in production at some point? 😉
Multi-Cluster Connectivity
KubeVPN supports simultaneous connections to multiple Kubernetes clusters:
kubevpn connect -n dev --kubeconfig ~/.kube/cluster1 # Primary kubevpn connect -n prod --kubeconfig ~/.kube/cluster2 --lite # Secondary This capability is particularly beneficial for:
- Development and Testing: Easily switch between development and production environments.
- Continuous Deployment: Streamline workflows that require interaction with multiple clusters.
By facilitating multi-cluster management, KubeVPN enhances development efficiency and flexibility.
Technical Architecture
KubeVPN's architecture comprises of three primary components:
- Traffic Manager: Deployed within the cluster, it intercepts and manages traffic using MutatingWebhook and iptables.
- VPN Tunnel: Establishes a secure channel between the local machine and the Kubernetes cluster using tun devices and WireGuard.
- Control Plane: Synchronizes configurations and states between the local and cluster environments through gRPC streaming and Custom Resource Definitions (CRDs).
This architecture ensures secure, efficient, and seamless integration between local development environments and Kubernetes clusters.
Conclusion
KubeVPN makes it easier to connect to a kubernetes cluster for development. Its features, including direct cluster networking, smart traffic interception, multi-cluster connectivity, and local containerized development, allow developers to work more efficiently and effectively.
Try KubeVPN now and see if you can improve the productivity of your development team!