Kubernetes API proxy through tunnel

Saw the kubernetes API server integration with Teleport.

Wondering if there’s a way to proxy API server requests through the tunnel setup by Teleport?

My use case is that the Kubernetes nodes are behind a NAT gateway and the proxy is a jump host in AWS with public access. I can use SSH port forwarding to make this work, but though it’ll be nice that this is directly supported by the product without additional SSH port forwarding commands. Thoughts?

Teleport just expects a working kubeconfig file, so if you can get a network tunnel up to the k8s apiserver and set that in the kubeconfig file it’ll work. Teleport doesn’t have any kind of native support for automatically creating such a tunnel itself.

I would probably look at trying to expose some other kind of gateway/always-on VPN within AWS which allows your Teleport proxy server to access the apiserver behind the NAT gateway.

Gus, thanks for you reply!

I think I can do that, but i thought that Teleport already has such tunnel setup (for SSH), why not reusing the tunnel for api server traffic as well? Right now, i can do

tsh ssh -L 6443:<api-server-address-behind-nat>:6443 root@some-node

And then everything works. I was hoping that Teleport can support that natively without me doing this manual step.

1 Like

Yes, Teleport does support putting its own internal API traffic (which would normally travel over ports 3025 and 3080) over a tunnel back to port 3024 on the cluster. This support doesn’t extend to the Kubernetes API, however, as we would need to be able to multiplex the TLS requests on that port and then split the traffic on the tunnel host according to its destination. This isn’t something we’ve looked at doing because of the added complexity involved.

Thank you for your clarifications on that point.

I have to admit, configuring Teleport for SSH was really amazing me, but when I switched to the Kubernetes config, the dream fall down.

What I mean is that I was expecting my single node (with the 3 roles) to proxy Kubernetes as it does for SSH … after realising this is not possible (until doing some tunnelling thing like jieyu explained) to make it working like that, and I’m now installing it side by side with my Kubernetes masters … which is quite disappointing.

Couldn’t be that you listen to another port for Kubernetes instead of multiplexing the existing one?

Teleport does ostensibly do what you’re asking, though. See the architecture diagrams at https://gravitational.co/teleport/docs/trustedclusters

Given this situation:

  1. Set up a main Teleport cluster (main.example.com) and configure Kubernetes support as per documentation
  2. Set up another remote cluster (trusted.example.com) and configure Kubernetes support as per documentation
  3. Set up the remote cluster as a trusted cluster within Teleport as per documentation
  4. Log into the main cluster (tsh login --proxy=main.example.com)
  5. Switch to the trusted cluster (tsh login --proxy=main.example.com trusted.example.com)
  6. Run kubectl get pods

All the traffic to trusted.example.com will go through the main Teleport proxy and be passed over to the Kubernetes server for trusted.example.com, and all replies will be proxied back. This relies on the Teleport proxy for main.example.com being able to connect directly to the Kubernetes API server for trusted.example.com, however.

I see why this question is being asked but at the moment, it’s not something that we’re looking at doing. Teleport is first and foremost a solution for proxying SSH access to remote clusters behind firewalls.

Thank you gus for your answer.

I understood the Telelport trusted cluster concept and I’ll use that.

Thank you.

1 Like