Running OpenVPN within k8s container

Question

Suppose I have a k8s cluster whose services IP range is 10.198.240.0/20.

Now I want this IP range to be accessible from another cluster or data center.

Is it feasible to run OpenVPN within kubernetes POD so that this IP range is accessible via VPN?

Answer 1

Had the same problem and made this solution:

Try it and let me know if it works for you.

Instructions:

docker run --user=$(id -u) -e OVPN_SERVER_URL=tcp://vpn.my.fqdn:1194 \
-v $PWD:/etc/openvpn:z -ti ptlange/openvpn ovpn_initpki
docker run --user=$(id -u) -e EASYRSA_CRL_DAYS=180 \
-v $PWD:/etc/openvpn:z -ti ptlange/openvpn easyrsa gen-crl

get the service ID

$ ./kube/deploy.sh
Usage: ./kube/deploy.sh <namespace> <OpenVPN URL> <service cidr> <pod cidr>

$ ./kube/deploy.sh default tcp://vpn.my.fqdn:1194 10.3.0.0/24 10.2.0.0/16
secret "openvpn-pki" created
configmap "openvpn-settings" created
configmap "openvpn-ccd" created
deployment "openvpn" created
You have exposed your service on an external port on all nodes in your
cluster.  If you want to expose this service to the external internet, you may
need to set up firewall rules for the service port(s) (tcp:30xxx) to serve traffic.

See http://releases.k8s.io/release-1.3/docs/user-guide/services-firewalls.md for
more details. service "openvpn-ingress" created

Answer 2

What you are trying to achieve is described in these discussions [1][2]. Basically after you have exposed Kubernetes services to be reachable via a private IP, you also need to add at least one route in your Google network.

As an example, my services always get deployed using these range 10.167.240.0/20. I got the address range by looking at the output for ¨ gcloud container clusters describe CLUSTER_NAME --zone ZONE¨ (servicesIpv4Cidr: 10.167.240.0/20.)

I added a route in my Google network so that the range 10.167.240.0/20 is forwarded to one of my cluster´s node.