Accessing kubernetes pod directly from a machine in the same network

Question

I have 4 servers on the same network;

• 10.0.0.10: Kubernetes master
• 10.0.0.11: Kubernetes node 1
• 10.0.0.12: Kubernetes node 2
• 10.0.0.20: Normal ubuntu server (kubernetes not installed)

I set up a kubernetes cluster following the instruction in https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/ using Calico as a network provider.

I could successfully run a pod by the following command (I'm using Ubuntu docker image with ssh access as an example)

kubectl run ubuntupod --image=rastasheep/ubuntu-sshd:16.04

and could see the IP address of this pod using kubectl get and kubectl describe (In this case, IP of the pod was 192.168.65.74.)

Then I confirmed that the following connections have been enabled

• kubernetes master/nodes (10.0.0.10 ~ 10.0.0.12) -> the pod (192.168.65.74)
• the pod (192.168.65.74) -> kubernetes master/nodes (10.0.0.10 ~ 10.0.0.12)
• the pod (192.168.65.74) -> normal ubuntu server (10.0.0.20)

However, I failed to make the following connection, which I want to ask people how to do;

• normal ubuntu server (10.0.0.20) -> pod (192.168.65.74)

I tried adding a routing table to the ubuntu server (10.0.0.20) in the hope that the kubernetes master node could be served as a router but with no success;

sudo route add -net 192.168.0.0 netmask 255.255.0.0 gw 10.0.0.10

I suspect that there is something to do with iptables in the Kubernetes master, but I have no idea what to do.

Could someone please help me on this.

BTW, I understand that what I want to do might diverge from the basic principle of the kubernetes or the docker. Maybe I should use Service mechanism of the kubernetes, but I need this sort of transparency in accessing between pods and actual servers.

Answer 1

I need this sort of transparency in accessing between pods and actual servers.

Then what you want is either, as you said but dismissed for some reason, a Service with either a type: NodePort -- or type: LoadBalancer if your setup allows one -- which will round-robin across all Pods matching its selector:...

Or kubectl exec -it $the_pod_name -- bash -il to execute a command on the Pod (that is: if your objective is only to "connect" to the Pod to run commands on it, and not "network connect")...

Or kubectl port-forward $the_pod_name ${local_port_number}:${pod_port_number} will allow you to effectively drill a hole in the k8s networking directly to the Pod, with the caveat that the connectivity is only for as long as kubectl is running (and, of course, the Pod's lifespan)

Just for extreme clarity, a software defined network such as Calico is traditionally used for traffic within the cluster, and it is best to think of any IP addresses as "fake" ones. Thus, I would never expect just updating the routing tables on anything would allow you to connect the "real" network stack to the "imaginary" one in Calico. Take that answer with a small grain of salt, as I've never used Calico specifically, but without question flannel behaves in that manner.

Answer 2

you can try to run the kube-proxy component of k8s on the ubuntu server, it will create the needed iptables rules for accessing k8s services and pods

Answer 3

With Calico you can peer your cluster with your network fabric (or even just one host) using BGP which will then distribute the routes to your pods allowing direct access to the pods from external hosts. Here are some of the doc links that can help with that https://docs.projectcalico.org/v2.5/usage/external-connectivity#inbound-connectivity and https://docs.projectcalico.org/v2.5/usage/configuration/bgp

One (possibly simple) way to achieve this on a host is to run calico/node on the host with it configured so calico/node can reach your Calico datastore and effectively become part of the "Calico cluster" but not part of the Kuberentes cluster.