This article is obsolete because it describes an approach that predates the availability of the ziti-edge-tunnel Helm chart and is redundant to the collection of documentation about tunneling workloads on Kubernetes.
This document provides guidance on deployment for various Container endpoints in Kubernetes. Currently, we have are recommending our OpenZiti Edge SDK aka Ziti-Edge-Tunnel for deployment as single container, Daemonset and Sidecar implementations. We have some examples and further documentation in Ziti.dev, NetFoundry API and NetFoundry, Inc . Each of the solutions requires some additional cluster configuration for persistent volumes so users can mount and persist endpoint identities. The focus of this documentation will outline the template for each container solution and will not be specific to any Public Cloud or Data Center deployment. Deployment specifics will vary depending on Volume selection for persisted data.
Ziti Edge Tunnel - Single container (pod) deployment to single node
The Ziti Edge Tunnel should be considered when you only need to access cluster resources (egress to Pods or K8s Services that are privately defined by name or IP in a NetFoundry Service/AppWAN) This will install a single POD into the cluster on a single worker node. The identity will persist if it is deleted, the POD will automatically be recreated if deleted. This deployment model should be installed and uninstalled via a simple deployment. NOTE: It is necessary to pre-enroll your identity to deploy container.
Sample Persistent Volume manifest below:
apiVersion: v1
kind: PersistentVolume
metadata:
name: ziti-enrolled-identity
labels:
type: local
spec:
storageClassName: #determine storage class and label here (every cloud is different) e.g. oci
capacity:
storage: 100Mi
accessModes:
- ReadWriteOnce
hostPath:
path: "/ziti-edge-tunnel"
Sample single container (POD) manifest below:
apiVersion: apps/v1
kind: Deployment
metadata: # name container as you like below
name: ziti-edge-tunnel
spec:
selector:
matchLabels:
app: ziti-edge-tunnel
template:
metadata:
labels:
app: ziti-edge-tunnel
spec:
containers:
- name: ziti-edge-tunnel
image: netfoundry/ziti-edge-tunnel:latest
env:
- name: NF_REG_NAME
value: ziti-identity
volumeMounts:
- name: ziti-enrolled-identity
mountPath: /ziti-edge-tunnel
readOnly: true
- name: system-bus-socket
mountPath: /var/run/dbus/system_bus_socket
securityContext:
privileged: true
args: #verbose setting below may be reduced to 3 to decrease logging output
- --verbose=4
- --dns-ip-range=100.64.64.0/18
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
restartPolicy: Always
volumes:
- name: ziti-enrolled-identity
secret: # must be pre-enrolled -- kubectl create secret generic ziti-enrolled-identity --from-file=ziti-enrolled-identity=./myZitiIdentityFile.json
secretName: ziti-enrolled-identity
defaultMode: 0400
items:
- key: ziti-enrolled-identity
path: ziti-identity.json
- name: system-bus-socket
hostPath:
path: /var/run/dbus/system_bus_socket
________________________________________________________________________________________________________________
Ziti Edge Tunnel - Daemonset deployment over all (or desired) nodes utilizing a single NetFoundry endpoint identity.
The Daemonset deployment will install the Ziti Edge Tunnel on all or desired worker nodes within the cluster. It can be found here. This shall be used for a redundant service termination solution or when scale demands additional resources. The endpoint identity will persist if it is deleted, the PODs will automatically be recreated if deleted. NOTE: It is necessary to pre-enroll your identity to deploy Daemonset.
Sample Persistent Volume manifest below:
apiVersion: v1
kind: PersistentVolume
metadata:
name: ziti-enrolled-identity
labels:
type: local
spec:
storageClassName: #determine storage class and label here (every cloud is different) e.g. oci
capacity:
storage: 100Mi
accessModes:
- ReadWriteOnce
hostPath:
path: "/ziti-edge-tunnel"
Sample DaemonSet manifest below:
apiVersion: apps/v1
kind: DaemonSet
metadata: # name dset as you wish below
name: ziti-edge-tunnel-dset
spec:
selector:
matchLabels:
app: ziti-edge-tunnel
template:
metadata:
labels:
app: ziti-edge-tunnel
spec:
containers:
- name: ziti-edge-tunnel
image: netfoundry/ziti-edge-tunnel:latest
env:
- name: NF_REG_NAME
value: ziti-identity
volumeMounts:
- name: ziti-enrolled-identity
mountPath: /ziti-edge-tunnel
readOnly: true
- name: system-bus-socket
mountPath: /var/run/dbus/system_bus_socket
securityContext:
privileged: true
args:
- --verbose=4
- --dns-ip-range=100.64.64.0/18
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet # Use "Default" for Ziti DNS
restartPolicy: Always
volumes:
- name: ziti-enrolled-identity
secret: # kubectl create secret generic ziti-enrolled-identity --from-file=ziti-enrolled-identity=./myZitiIdentityFile.json
secretName: ziti-enrolled-identity
defaultMode: 0400
items:
- key: ziti-enrolled-identity
path: ziti-identity.json
- name: system-bus-socket
hostPath:
path: /var/run/dbus/system_bus_socket
__________________________________________________________________________________________
Ziti Edge Tunnel - Sidecar deployment where Ziti Edge Tunnel is deployed into a multi-container POD or POD's. This is the only deployment that provides external network access for containerized applications.
The sidecar deployment will install the Ziti Edge Tunnel software on a single node as a single container within a multi container pod. It can provide outbound network access (ingress and egress from Pod/Containers to NetFoundry Network) for all containers within the Pod. The endpoint identity will persist if it is deleted, the PODs will automatically be recreated if deleted. NOTE: It is necessary to pre-enroll your identity to deploy Sidecar.
Sample Persistent Volume manifest below:
apiVersion: v1
kind: PersistentVolume
metadata:
name: ziti-enrolled-identity
labels:
type: local
spec:
storageClassName: #determine storage class and label here (every cloud is different) e.g. oci
capacity:
storage: 100Mi
accessModes:
- ReadWriteOnce
hostPath:
path: "/ziti-edge-tunnel"
Sample Sidecar manifest below:
---
apiVersion: apps/v1
kind: Deployment
metadata: # name Sidecar as you wish below
name: ziti-edge-tunnel-sidecar
spec:
selector:
matchLabels:
app: ziti-edge-tunnel
template:
metadata:
labels:
app: ziti-edge-tunnel
spec:
containers:
- image: centos
name: testclient
command: ["sh","-c","while true; set -x; do curl -sSLf eth0.ziti.cli 2>&1; set +x; sleep 5; done"]
- image: netfoundry/ziti-edge-tunnel:latest
name: ziti-edge-tunnel
env:
- name: NF_REG_NAME
value: ziti-identity
volumeMounts:
- name: ziti-enrolled-identity
mountPath: /ziti-edge-tunnel
readOnly: true
- name: system-bus-socket
mountPath: /var/run/dbus/system_bus_socket
securityContext:
privileged: true
args:
- --verbose=3
- --dns-ip-range=100.64.64.0/18
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet # use Default for Ziti DNS to work
restartPolicy: Always
volumes:
- name: ziti-enrolled-identity
secret: # kubectl create secret generic ziti-enrolled-identity --from-file=ziti-enrolled-identity=./myZitiIdentityFile.json
secretName: ziti-enrolled-identity
defaultMode: 0400
items:
- key: ziti-enrolled-identity
path: ziti-identity.json
- name: system-bus-socket
hostPath:
path: /var/run/dbus/system_bus_socket
Comments
0 comments