Skip to content

Instantly share code, notes, and snippets.

@discordianfish

discordianfish/README.md

Last active February 7, 2022 21:40
Show Gist options
  • Save discordianfish/b765da9faf08fcb793e3e6e317d14296 to your computer and use it in GitHub Desktop.
Save discordianfish/b765da9faf08fcb793e3e6e317d14296 to your computer and use it in GitHub Desktop.
Download ZIP
Simple "VPN" to connect k3s to apiserver with private IP
Raw
README.md

My k3s server is running on 192.168.1.1 in my LAN. While I can expose the TLS endpoint to the public internet, my IP is dynamic. This doesn't play well with Kubernetes since when kubelet is connecting to the TLS endpoint, it retrieves a list of apiservers and tries to connect to them directly. So instead I add the apiserver's private IP to the loopback interface and run an ssh tunnel to forward it.

So with the unit file above, you can join a node with:

curl -sfL https://get.k3s.io | K3S_URL=https://192.168.1.1:6443 K3S_TOKEN=mynodetoken sh -
Raw
authorized_keys
command="echo Port forward only",no-X11-forwarding,no-agent-forwarding,no-pty,permitopen="localhost:6443",permitopen="127.0.0.1:6443" ssh-rsa AAAAB.... ssh-tunnel@pluto
Raw
k3s-server-ssh-tunnel.service
[Unit]
Description=ssh tunnel
Wants=network-online.target
After=network-online.target
StartLimitIntervalSec=0
RequiredBy=k3s-agent.service
[Service]
Type=simple
Restart=always
RestartSec=5s
User=ssh-tunnel
ExecStartPre=!-ip addr add 192.168.1.1 dev lo
ExecStart=/usr/bin/ssh -o ExitOnForwardFailure=yes -N -L192.168.1.1:6443:127.0.0.1:6443 home.42o.de
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment