Kubernetes API Server Proxy
The Kubernetes API Server Proxy is a Liqo component that allows you to expose the Kubernetes API Server of a cluster to a remote cluster through the Liqo network fabric.
This feature is internally used by the in-band peering to establish a peering relationship between two clusters, which does not publicly expose the Kubernetes API Server.
Warning
If you just need to peer two clusters without publicly exposing the Kubernetes API server, you can use the in-band peering.
The Kubernetes API Server Proxy is an HTTP server that accepts HTTP Connect requests and forwards them to the Kubernetes API Server of the local cluster. It just proxy the requests to the API server and it has no permission on the local cluster. This means that, as usual, all the requesters must authenticate with the Kubernetes API Server to access the resources.
By default the Kubernetes API Server Proxy is deployed as a Kubernetes deployment in the liqo
namespace and it is exposed by a service, whose address is remapped by an IP
CRD located in the liqo
namespace.
This allows another peer cluster to reach the Kubernetes API server of the peer even when this is not directly reachable, by passing through the gateways tunnel between the clusters, using the remapped IP.
You can get this IP address by running the following command:
kubectl get ip -n liqo api-server-proxy -o wide
NAME LOCAL IP AGE REMAPPED IPS
api-server-proxy 10.95.245.141 167m {"wild-frog":"10.70.0.2"}
Note that the IP retrieved with the command above might not be used as is in a remote cluster, you may need to remap it to a different IP address according to the remote cluster network configuration, as explained in the external IP remapping page.
For example, let’s suppose that a cluster cl01
wants to reach the Kubernetes API Server Proxy of another cluster cl02
.
Looking at the Configuration
resource, we might see that, for example, the REMAPPED_EXT_CIDR
is 10.81.0.0/16, which means that the requests directed to that network will be redirected to cluster cl01
and remmapped to the cl02
external CIDR.
Therefore, if the REMAPPED_IP
of the api-server-proxy
in cl02
is 10.70.0.3, the final IP to be used in cl01
to reach the Kubernetes API Server Proxy will be 10.81.0.3.