Pod-level Proxy Configuration on Kubernetes and Flux
In terms of network security best practices, companies use internal networks and proxy machines to access the internet. These networks enable the use of proxies for scenarios such as monitoring inbound and outbound traffic, auditing, and SSL inspection.
In this blog post, I will discuss how to configure a proxy to enable access to any location in the external network, allowing you to manage workloads with Flux in your Kubernetes cluster located on the internal network.
If you do not want the machines where you installed your Kubernetes cluster to have direct access to the internet and instead want to perform scenarios such as SSL inspection by going through a specific proxy machine, you need to configure the Pods in your cluster and Flux’s own controller applications with the configuration of the proxy machine.
Here, we can provide these configurations at the pod and container level with 3 different environment variables: HTTP_PROXY, HTTPS_PROXY and NO_PROXY.
There are two different options for injecting environment variables into a pod.
- Manually setting the environment variables for each pod.
- Extending Kubernetes and using a Mutating Admission webhook to intercept incoming API requests and patch the object to inject environment variables.
In this blog post, I will explain how to implement the first option.
First, we create a ConfigMap object in our cluster that contains the environment variables.
apiVersion: v1
kind: ConfigMap
metadata:
name: user-configs-proxy
namespace: flux-system
data:
http_proxy: "http://muhammed.com:3128"
https_proxy: "http://muhammed.com:3129"
no_proxy: "svc,local"As you know, Flux manages its own resources in the Git repository. To enable Flux to pass through the proxy in outbound traffic, we need to provide the ConfigMap we created earlier as an environment variable to the Source Controller Deployment.
In our kustomization.yaml file, we reference our patch file.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gotk-components.yaml
- gotk-sync.yaml
patchesStrategicMerge:
- gotk-patches/source-controller-proxy-patch.yamlThe following code block contains the contents of the source-controller-proxy-patch file. Here, we inject environment variables into the container named “manager” using configMapRef.
apiVersion: apps/v1
kind: Deployment
metadata:
name: source-controller
namespace: flux-system
spec:
template:
spec:
containers:
- name: manager
envFrom:
- configMapRef:
name: user-configs-proxy
optional: trueWhen we perform this operation, Flux can access the Github repository located in the External Network by exiting the Internal Network.
If there are any other applications in the cluster that perform outbound traffic, we need to inject the environment variables into those workloads as well. We can achieve this by either manually setting the environment variables or by using a Mutating Admission webhook to inject the variables automatically.
Conclusion
As a result, If you want to harden your network security and use External Proxy to not access the Internet directly, you can easily configure your Kubernetes Cluster and Flux Workloads.
Thanks for reading. If you have questions or comments regarding this article, please feel free to leave a comment below.
Would like to get in touch? Reach me out on LinkedIn:
