minikube + ssh + nat gate in front of the remote host

[jserviceorg]

Hello

I am trying to geht minikube together with the ssh driver and a remote host behind a nat gateway up and running. I faced some issues with kublet using the wrong Ip which I could fix hacky. But I still got the impression that the combination nat gate + ssh driver won't work. Is there anyone out there who got experience with this or is even running such a setup successfully?

Cheers

Jürgen

[afbjorklund]

We have mostly tried with a generic VM running locally (using something like Vagrant), or with a VM running in some private cloud.

When running in a more public cloud, there are usually one external and one internal address (that can be used for the api server)

Example: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html

So SSH (only) uses the external address, and everything else is tunneled through it. This is similar to how the eth0/eth1 works.

There needs to be some better documentation for this, and I think e.g. minikube tunnel has not been updated for ssh ?

      --apiserver-ips=[]: A set of apiserver IP Addresses which are used in the generated certificate for kubernetes.  This can be used if you want to make the apiserver available from outside the machine
      --apiserver-name='minikubeCA': The authoritative apiserver hostname for apiserver certificates and connectivity. This can be used if you want to make the apiserver available from outside the machine
      --apiserver-names=[]: A set of apiserver names which are used in the generated certificate for kubernetes.  This can be used if you want to make the apiserver available from outside the machine
      --ssh-ip-address='': IP address (ssh driver only)

Opening up the minikube port (8443) probably needs some securitty consideration, and still need an ingress for apps...

Currently there are only some unsupported hacks for docker/podman, but nothing that would be usable for running a VM.

      --listen-address='': IP Address to use to expose ports (docker and podman driver only)
      --ports=[]: List of ports that should be exposed (docker and podman driver only)

The container opens these:

• 8443
• 22
• 2376 (legacy docker)
• 5000 (registry addon)
• 32443 (auto-pause)

[afbjorklund]

Some network diagrams of the various minikube drivers would also help here: #4938 (comment)

Especially for these scenarios with restricted network access, like Docker Desktop or public cloud.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten