[Question/Feature-Request] central install of kubevpn-traffic-manager

[3deep5me]

Hi again,

Not sure if this is already covered or partly covered in kubevpn.

We would like to install kubevpn-traffic-manager deployment in a central namespace. In best-case with a helm-chart or similar.

Why?

• central update management
  • we would like to ensure that on every cluster the newest server version is installed
• security
  • the kubevpn-traffic-manager is a privileged deployment
  • we use the restricted profile of the Pod Security Defaults which forbids this
  • an extra namespace for the kubevpn-traffic-manager would allow us to continue to use the PSD
• resource efficiency
  • we have at least one namespace for each developer (preview-enviroment)
  • with five preview-enviroments we would have a memory footprint of about ~3,5GiB (750MiB per kubevpn instance)

How?
Maybe a flag in the cli to point to the namespace where the kubevpn-traffic-manager is deployed.

What?
If its possible to do something like this and if you may decide to do it - i can offer at least to build a helmchart.

[wencaiwulue]

Hi again,

Not sure if this is already covered or partly covered in kubevpn.

We would like to install kubevpn-traffic-manager deployment in a central namespace. In best-case with a helm-chart or similar.

Why?

• central update management

  • we would like to ensure that on every cluster the newest server version is installed

• security

  • the kubevpn-traffic-manager is a privileged deployment
  • we use the restricted profile of the Pod Security Defaults which forbids this
  • an extra namespace for the kubevpn-traffic-manager would allow us to continue to use the PSD

• resource efficiency

  • we have at least one namespace for each developer (preview-enviroment)
  • with five preview-enviroments we would have a memory footprint of about ~3,5GiB (750MiB per kubevpn instance)

How? Maybe a flag in the cli to point to the namespace where the kubevpn-traffic-manager is deployed.

What? If its possible to do something like this and if you may decide to do it - i can offer at least to build a helmchart.

Yes, you can use options --namespace or short -n to special namespace which pod kubevpn-traffic-manager created, you can use command kubevpn options see more options, just like command kubectl

Yes, if you can help to write helm chart, that's very nice, welcome ~, just go go go ~

[3deep5me]

Thanks! I tested it but i think i have an issue with that.
If i use the flag the hosts entries are also from the specified namespace.
I would like to have kubevpn run in namespace A but get the hosts entries from namespace B.
At the moment it seems that I only get the hosts from the namespace in which kubevpn is running.

[wencaiwulue]

Thanks! I tested it but i think i have an issue with that. If i use the flag the hosts entries are also from the specified namespace. I would like to have kubevpn run in namespace A but get the hosts entries from namespace B. At the moment it seems that I only get the hosts from the namespace in which kubevpn is running.

Actually, you can access k8s service with full k8s dns name, eg, if you are connectted to namespace A, you can access namespace B service in this way:

curl SERVICE_NAME.NAMESPACE_B.svc.cluster.local

here is doc kubevpn docs

if across namespace access service, it support short dns name like:
On macOS

curl SERVICE_NAME.NAMESPACE_B
curl SERVICE_NAME.NAMESPACE_B.svc
curl SERVICE_NAME.NAMESPACE_B.svc.cluster.local

On Windows

curl SERVICE_NAME.NAMESPACE_B.svc.cluster.local

On Linux

curl SERVICE_NAME.NAMESPACE_B
curl SERVICE_NAME.NAMESPACE_B.svc
curl SERVICE_NAME.NAMESPACE_B.svc.cluster.local

[wencaiwulue]

@3deep5me hello, if you want install it now, you can checkout branch feat/add-manifest-helm-chart with command

git clone --branch feat/add-manifest-helm-chart https://github.com/kubenetworks/kubevpn.git

then

cd kubevpn

and use command to install it

helm install kubevpn ./charts/kubevpn --set image.tag=test

you can special namespace you want, but remember to with --set image.tag=test
like:

helm install kubevpn ./charts/kubevpn  -n dev --set image.tag=test

if you know k8s cluster network service cidr or pod cidr, you can use command:

helm install kubevpn ./charts/kubevpn  -n dev --set image.tag=test --set cidr.pod=xxxx/xx --set cidr.service=xxxx/xx

finally, you can use command kubevpn to connect

kubevpn connect

otherwise, you can wait maybe two weeks to release a new version 2.2.2.

[3deep5me]

thanks @wencaiwulue!
I will try it out properly this week.

[3deep5me]

I just looked into the commit, looks nice so far. I like the HPA 😃.

I noticed a typo on the filename rulebinding.yaml.

Another question: Does Kubevpn need the namespace labeling? Because we normal manage our namespaces over gitops and in this case (if not configured) our gitops controller would remove the additional label.

[wencaiwulue]

I just looked into the commit, looks nice so far. I like the HPA 😃.

I noticed a typo on the filename rulebinding.yaml.

Another question: Does Kubevpn need the namespace labeling? Because we normal manage our namespaces over gitops and in this case (if not configured) our gitops controller would remove the additional label.

Yes, i will change rulebinding.yaml --> rolebinding.yaml.
Kubevpn needs label namespace for webhook to manage ip (rentIP before pod create and release ip after pod destroy), But it also works event without label ns, because i write same logic to rentIP at the begining of pod entrypoint . but i recommend label ns, just let all things goes smoothly

[wencaiwulue]

@3deep5me i finished this feature in pr #145 , you can install it by following doc: link

[3deep5me]

Thanks a lot!

[wencaiwulue]

@3deep5me in this pr #177. add the feature to detect pod/service cidr logic, after pod have been started in cluster, client will do nothing just connect to kubevpn-traffic-manager pod. let things became more easy ~, already released new version, you can have a try ~