Just as Kilo can connect a Kubernetes cluster to external services over WireGuard, it can connect multiple independent Kubernetes clusters. This enables clusters to provide services to other clusters over a secure connection. For example, a cluster on AWS with access to GPUs could run a machine learning service that could be consumed by workloads running in a another location, e.g. an on-prem cluster without GPUs. Unlike services exposed via Ingresses or NodePort Services, multi-cluster services can remain private and internal to the clusters.
Note: in order for connected clusters to be fully routable, the allowed IPs that they declare must be non-overlapping, i.e. the Kilo, pod, and service CIDRs.
Consider two clusters,
- service CIDR:
- service CIDR:
In order to give
cluster2 access to a service running on
cluster1, start by peering the nodes:
Now, Pods on
cluster1 can ping, cURL, or otherwise make requests against Pods and Services in
cluster2 and vice-versa.
At this point, Kilo has created a fully routable network between the two clusters.
However, as it stands the external Services can only be accessed by using their clusterIPs directly.
For example, a Pod in
cluster2 would need to use the URL
http://$CLUSTERIP_FROM_CLUSTER1 to make an HTTP request against a Service running in
In other words, the Services are not yet Kubernetes-native.
We can easily change that by creating a Kubernetes Service in
cluster2 to mirror the Service in
important-service can be used and discovered on
cluster2 just like any other Kubernetes Service.
That means that a Pod in
cluster2 could directly use the Kubernetes DNS name for the Service when making HTTP requests, for example:
Notice that this mirroring is ad-hoc, requiring manual administration of each Service. This process can be fully automated using Service-Reflector to discover and mirror Kubernetes Services between connected clusters.