Kilo enables peers outside of a Kubernetes cluster to connect to the created WireGuard network. This enables several use cases, for example:
- giving cluster applications secure access to external services, e.g. services behind a corporate VPN;
- allowing external services to access the cluster; and
- enabling developers and support to securely debug cluster resources.
In order to declare a peer, start by defining a Kilo Peer resource.
See the following
peer.yaml, where the
publicKey field holds a generated WireGuard public key:
Then, apply the resource to the cluster:
kgctl tool can be used to generate the WireGuard configuration for the newly defined peer:
This will produce some output like:
The configuration can then be applied to a local WireGuard interface, e.g.
Finally, in order to access the cluster, the client will need appropriate routes for the new configuration. For example, on a Linux machine, the creation of these routes could be automated by running:
Once the routes are in place, the connection to the cluster can be tested. For example, try connecting to the API server:
Likewise, the cluster now also has layer 3 access to the newly added peer. From any node or Pod on the cluster, one can now ping the peer:
If the peer exposes a layer 4 service, for example an HTTP service, then one could also make requests against that endpoint from the cluster:
Kubernetes Services can be created to provide better discoverability to cluster workloads for services exposed by peers, for example:
Although it is not a primary goal of the project, the VPN created by Kilo can also be used by peers as a gateway to the Internet; for more details, see the VPN server docs.