Deploying Ziti Edge Tunnel container in Kubernetes Cluster

This article is obsolete because it describes an approach that predates the availability of the ziti-edge-tunnel Helm chart and is redundant to the collection of documentation about tunneling workloads on Kubernetes.

 

 

This document provides  guidance on deployment for various Container endpoints in Kubernetes.  Currently, we have are recommending our OpenZiti Edge SDK aka Ziti-Edge-Tunnel for deployment as single container, Daemonset and Sidecar implementations. We have some examples and further documentation in Ziti.dev, NetFoundry API  and NetFoundry, Inc . Each of the solutions requires some additional cluster configuration for persistent volumes so users can mount and persist endpoint identities. The focus of this documentation will outline the template for each container solution and will not be specific to any Public Cloud or Data Center deployment.  Deployment specifics will vary depending on Volume selection for persisted data.

 

Ziti Edge Tunnel - Single container (pod) deployment to single node

The Ziti Edge Tunnel should be considered when you only need to access cluster resources (egress to Pods or K8s Services that are privately defined by name or IP in a NetFoundry Service/AppWAN) This will install a single POD into the cluster on a single worker node. The identity will persist if it is deleted, the POD will automatically be recreated if deleted. This deployment model should be installed and uninstalled via a simple deployment. NOTE: It is necessary to pre-enroll your identity to deploy container.

 

mceclip0.png

 

Sample Persistent Volume manifest below:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: ziti-enrolled-identity
  labels:
    type: local
spec:
   storageClassName: #determine storage class and label here (every cloud is different) e.g. oci
   capacity:
     storage: 100Mi
   accessModes:
     - ReadWriteOnce
   hostPath:
     path: "/ziti-edge-tunnel"

 

Sample single container (POD) manifest below:

apiVersion: apps/v1
kind: Deployment
metadata: # name container as you like below
  name: ziti-edge-tunnel
spec:
  selector:
    matchLabels:
      app: ziti-edge-tunnel
  template:
    metadata:
      labels:
        app: ziti-edge-tunnel
    spec:
      containers:
      - name: ziti-edge-tunnel
        image: netfoundry/ziti-edge-tunnel:latest
        env:
        - name: NF_REG_NAME
          value: ziti-identity
        volumeMounts:
        - name: ziti-enrolled-identity
          mountPath: /ziti-edge-tunnel
          readOnly: true
        - name: system-bus-socket
          mountPath: /var/run/dbus/system_bus_socket
        securityContext:
          privileged: true
        args: #verbose setting below may be reduced to 3 to decrease logging output
        - --verbose=4
        - --dns-ip-range=100.64.64.0/18
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      restartPolicy: Always
      volumes:
      - name: ziti-enrolled-identity
        secret: # must be pre-enrolled -- kubectl create secret generic ziti-enrolled-identity --from-file=ziti-enrolled-identity=./myZitiIdentityFile.json
          secretName: ziti-enrolled-identity
          defaultMode: 0400
          items:
          - key: ziti-enrolled-identity
            path: ziti-identity.json
      - name: system-bus-socket
        hostPath:
          path: /var/run/dbus/system_bus_socket

 

________________________________________________________________________________________________________________

 

Ziti Edge Tunnel - Daemonset deployment over all (or desired) nodes utilizing a single NetFoundry endpoint identity.

 

The Daemonset deployment will install the Ziti Edge Tunnel on all or desired worker nodes within the cluster. It can be found here. This shall be used for a redundant service termination solution or when scale demands additional resources. The endpoint identity will persist if it is deleted, the PODs will automatically be recreated if deleted. NOTE: It is necessary to pre-enroll your identity to deploy Daemonset.

 

mceclip1.png

 

Sample Persistent Volume manifest below:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: ziti-enrolled-identity
  labels:
    type: local
spec:
   storageClassName: #determine storage class and label here (every cloud is different) e.g. oci
   capacity:
     storage: 100Mi
   accessModes:
     - ReadWriteOnce
   hostPath:
     path: "/ziti-edge-tunnel"

 

Sample DaemonSet manifest below:

apiVersion: apps/v1
kind: DaemonSet
metadata: # name dset as you wish below
name: ziti-edge-tunnel-dset
spec:
selector:
matchLabels:
app: ziti-edge-tunnel
template:
metadata:
labels:
app: ziti-edge-tunnel
spec:
containers:
- name: ziti-edge-tunnel
image: netfoundry/ziti-edge-tunnel:latest
env:
- name: NF_REG_NAME
value: ziti-identity
volumeMounts:
- name: ziti-enrolled-identity
mountPath: /ziti-edge-tunnel
readOnly: true
- name: system-bus-socket
mountPath: /var/run/dbus/system_bus_socket
securityContext:
privileged: true
args:
- --verbose=4
- --dns-ip-range=100.64.64.0/18
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet # Use "Default" for Ziti DNS
restartPolicy: Always
volumes:
- name: ziti-enrolled-identity
secret: # kubectl create secret generic ziti-enrolled-identity --from-file=ziti-enrolled-identity=./myZitiIdentityFile.json
secretName: ziti-enrolled-identity
defaultMode: 0400
items:
- key: ziti-enrolled-identity
path: ziti-identity.json
- name: system-bus-socket
hostPath:
path: /var/run/dbus/system_bus_socket

 

 

__________________________________________________________________________________________

 

Ziti Edge Tunnel - Sidecar deployment where Ziti Edge Tunnel is deployed into a multi-container POD or POD's. This is the only deployment that provides external network access for containerized applications. 

 

The sidecar deployment will install the Ziti Edge Tunnel software on a single node as a single container within a multi container pod. It can provide outbound network access (ingress and egress from Pod/Containers to NetFoundry Network) for all containers within the Pod. The endpoint identity will persist if it is deleted, the PODs will automatically be recreated if deleted. NOTE: It is necessary to pre-enroll your identity to deploy Sidecar.

mceclip2.png

 

Sample Persistent Volume manifest below:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: ziti-enrolled-identity
  labels:
    type: local
spec:
   storageClassName: #determine storage class and label here (every cloud is different) e.g. oci
   capacity:
     storage: 100Mi
   accessModes:
     - ReadWriteOnce
   hostPath:
     path: "/ziti-edge-tunnel"

 

Sample Sidecar manifest below:

---
apiVersion: apps/v1
kind: Deployment
metadata: # name Sidecar as you wish below
name: ziti-edge-tunnel-sidecar
spec:
selector:
matchLabels:
app: ziti-edge-tunnel
template:
metadata:
labels:
app: ziti-edge-tunnel
spec:
containers:
- image: centos
name: testclient
command: ["sh","-c","while true; set -x; do curl -sSLf eth0.ziti.cli 2>&1; set +x; sleep 5; done"]
- image: netfoundry/ziti-edge-tunnel:latest
name: ziti-edge-tunnel
env:
- name: NF_REG_NAME
value: ziti-identity
volumeMounts:
- name: ziti-enrolled-identity
mountPath: /ziti-edge-tunnel
readOnly: true
- name: system-bus-socket
mountPath: /var/run/dbus/system_bus_socket
securityContext:
privileged: true
args:
- --verbose=3
- --dns-ip-range=100.64.64.0/18
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet # use Default for Ziti DNS to work
restartPolicy: Always
volumes:
- name: ziti-enrolled-identity
secret: # kubectl create secret generic ziti-enrolled-identity --from-file=ziti-enrolled-identity=./myZitiIdentityFile.json
secretName: ziti-enrolled-identity
defaultMode: 0400
items:
- key: ziti-enrolled-identity
path: ziti-identity.json
- name: system-bus-socket
hostPath:
path: /var/run/dbus/system_bus_socket

 

 

Was this article helpful?
2 out of 2 found this helpful

Comments

0 comments

Please sign in to leave a comment.