Skip to main content
Skip table of contents

Attach a Cluster with Networking Restrictions

How to attach an existing cluster that has additional networking restrictions

Use this option when you want to attach a cluster that is in a DMZ, behind a NAT gateway, behind a proxy server or a firewall, or that requires additional access information. This procedure gathers the information required to create a kubeconfig file for the network tunnel between Kommander and the cluster you want to attach.

If your cluster blocks public access, you may need to make the additional step of allowing certain authorized networks where Docker images are hosted for Konvoy to use your cluster, specifically https://registry-1.docker.io/

  1. From the top menu bar, select your target workspace.

  2. On the Dashboard page, select the Add Cluster option in the Actions dropdown menu at the top right.

  3. Select Attach Cluster.

  4. Select the Cluster has networking restrictions card to display the configuration page.

  5. Enter the Cluster Name of the cluster you’re attaching.

  6. Create additional new Labels as needed.

  7. Select the hostname that is the Ingress for the cluster from the Load Balancer Hostname dropdown menu. The hostname must match the Kommander Host cluster to which you are attaching your existing cluster with network restrictions.

  8. Specify the URL Path Prefix for your Load Balancer Hostname. This URL path will serve as the prefix for the specific tunnel services you want to expose on the Kommander management cluster. If no value is specified, the value defaults to /dkp/tunnel.

    NOTE: Kommander uses Traefik 2 ingress, which requires explicit definition of strip prefix middleware as a Kubernetes API object, opposed to a simple annotation. Kommander provides default middleware that supports creating tunnels only on the /dkp/tunnel URL prefix. This is indicated by using the extra annotation, traefik.ingress.kubernetes.io/router.middlewares: kommander-stripprefixes-kubetunnel@kubernetescrd as shown in the code sample that follows. If you want to expose a tunnel on a different URL prefix, you must manage your own middleware configuration.

  9. (Optional) Enter a value for the Hostname field.

  10. If you have not attached this cluster before, you must create a new secret in the Root CA Certificate drop down menu. To do this in your Konvoy management cluster, view your base64 encoded Kubernetes secret values to copy and paste into the Root CA Certificate field:

    CODE 
    echo $(kubectl get secret -n cert-manager kommander-ca -o=go-template='{{index .data "tls.crt"}}')

    Otherwise, select from the list of available Secrets.

  11. Add any Extra Annotations as needed.

  12. Select the Save & Generate kubeconfig button to generate the kubeconfig file for the network tunnel.

After the above is complete, finish Attaching the Cluster.

As an alternative procedure, you can follow these instructions to Use CLI to Add Managed Clusters to Kommander.

For information on TunnelGateway, review the API documentation.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close