Skip to content

Private Kube API Proxy

Private Kube API Proxy allows customers to create their own dedicated and isolated Kube API Proxy networks (private or public) to provide kubectl access for their users. Users can create multiple Kube API Proxies based on the requirements and associate the clusters to one or more such proxies. The agents in the cluster connect to the configured custom Kube API Proxies. Also, the user’s kubeconfig points to the appropriate network address to reach the cluster.

Enable Kube API Proxies

Perform the below steps to enable the Kube API Proxies

  • Login to the controller and click System
  • Click Settings

System Settings

  • Select Enable Kube API Proxies option under KubeCTL Settings and click Save

Enable Kube Proxies

Create Kube API Proxy

To create a new Kube API Proxy, perform the below steps

  • Click System and select Kube API Proxies

Kube API Proxies

Kube API Proxies page appears

  • Click New Kube API Proxy and provide a name for the proxy
  • Enter the Cluster Host. This should be a wild card hostname on the domain that you own. Ex: *.connector.example.com
  • Enter the User Host. This should be a wild card hostname on the domain that you own. Ex: *.user.example.com
  • Click Create

Create Kube Proxy

A success message appears once the Kube Proxy is created

Successful Creation

Self signed certificates are automatically generated for both the above hostnames. But you have an option to modify the certificate for User Host. If you wish to update the certificate click on CONFIGURE CERTIFICATES

You will see the page as shown below.

General Setting

General Settings

The General settings show the name of the Kube API Proxy.

Endpoints

The End Point Settings shows the host details of both Cluster Endpoint and User Endpoint

  • Cluster Endpoint: Cluster Endpoint Self-Signed option generates a certificate for the given host. Self-Signed Certificate is to authorise and provide a secured connection between the cluster and proxy

  • User Endpoint: By default, Kube API Proxies use the Self-Signed Certificate Authority (CA) provisioned in the Controller for secured connection. If the users do not require the system generated certificate for the User Endpoint and wish to provide their certificate, deselect the Self-Signed option and provide the below details:

  • Certificate Body

  • Certificate Private Key
  • Password (optional)

Endpoints

The Endpoints Settings shows the host details:

  • Cluster Endpoint: Cluster Endpoint Self-Signed option generates a certificate for the given host. Self-Signed Certificate is to authorize and provide a secure connection between the cluster and the proxy

  • User Endpoint: Users are allowed to select or deselect the Self-Signed option. If users do not require the system generated certificate for the User Endpoint and wish to provide their CA/Intermediate CA certificate details, deselect the Self-Signed option and provide the below details:

    • Certificate Body
    • Certificate Private Key
    • Password (optional)
    • Click Save

On providing this information, the controller uses the customer-supplied Certificate Authority (CA) to generate certificates for the proxies and this secures the user's KubeCTL traffic

On providing this information, the controller uses the customer-supplied Certificate Authority (CA) to generate certificates for the proxies and this secures the user's KubeCTL traffic

  • Click Save, if any changes made to the Kube API Proxy endpoint configuration

On successful creation, the new proxy is listed on the Kube API Proxies page. Use the Edit icon to modify the config details and Delete icon to delete the proxy

Proxy Options

Download Deployment Configuration

Once the proxy is created, the user must download the Kube Proxy deployment configuration

  • Click Download icon of the required proxy. Cluster Registration Instructions pane appears at the right of the page
  • Click Download Kube API Proxy Yaml to download the Yaml file to deploy the Kube API Proxy

Download Kube API

Below is an example of the Kube Proxy Yaml file

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: rafay-kube-proxy
  name: rafay-kube-proxy
  namespace: rafay-system
spec:
  replicas: 1
  progressDeadlineSeconds: 1800
  selector:
    matchLabels:
      app: rafay-kube-proxy
  template:
    metadata:
      labels:
        app: rafay-kube-proxy
    spec:
      containers:
      - args:
        - --mode=server
        - --log-level=3
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name

The downloaded yaml files have services and objects to create the proxy instance. User must create an appropriate Ingress object and set up to expose the proxy as per the environment needs. Users can customise the yaml file configuration based on the requirement. Based on how you decide to expose the proxy, create the DNS entries for Cluster Host and User Host so that they resolve to the cluster that you are deploying the proxy.

  • Run the below command to apply the Kube Proxy to the required Kubernetes Cluster

kubectl apply -f [path to file]/<proxy-name.yaml>

Private Kube API Proxy on Cluster

On successful Kube API Proxy creation, user can now associate a cluster to a Private Kube API Proxy using Blueprints. User can add one or more Kube API Proxies to the existing or new Blueprints as shown below

Note

If you select a private KubeAPI Proxy in a blueprint, make sure that the cluster where this blueprint is applied can talk to the Cluster Host created in previous step.

Add Kube Proxy