Curious to know more about how this type of deployment is used.
Any tips?
I think that you’re supposed to use it as a sidecar container in a kubernetes pod or maybe on a docker network where you only allow traffic to and from the tunneler
1 Like
We did some early experiments with ziti-tunnel (the old tunneler) as a sidecar. It can work but DNS is tricky. If you only need to “host” a Ziti service i.e. k8s ingress to apiserver or workloads then you probably want helm install ziti-host from NetFoundry Helm Charts | charts
If you’re looking for a Ziti nameserver and IP routes in k8s then I’d recommend this daemonset example using the newer tunneler: developer-tools/ziti-daemonset-tun.yml at main · netfoundry/developer-tools · GitHub
Still, it’s not strictly necessary to enable the tunneler on the node with Kubernetes. You could install the tunneler separately and it would have the same effect for pods on that node i.e. the node’s host resolver is configured for Ziti and inherited by pods that have a value for dnsConfig that doesn’t override that inheritance. All users and all processes on the node will have the same level of host access to Ziti services. The one gotcha being that pods must start after the tunneler is enabled or they won’t inherit the Ziti-enabled dnsConfig.