How to access private eks cluster apiserver via openziti

sadath-12 · July 6, 2024, 1:31pm

I installed router in private eks cluster and had the following settings

helm upgrade --install "private-cluster" openziti/ziti-router \
--namespace ziti \
--set-file enrollmentJwt=./router-cluster.jwt \
--set edge.advertisedHost=private-router123-edge.ziti.svc.cluster.local \
--set linkListeners.transport.service.enabled=false \
--set tunnel.mode=host \
--set ctrl.endpoint="url:6262"

ziti edge update identity "router-cluster" \
    --role-attributes router-cluster

  ziti edge create identity "cluster-client" \
    --role-attributes cluster-clients \
    --jwt-output-file cluster-client.jwt

    ziti edge create config "router-cluster-i" intercept.v1 \
    '{"protocols":["tcp"],"addresses":["k8s.ziti.internal"], "portRanges":[{"low":443, "high":443}]}'

ziti edge create config "router-cluster-h" host.v1 \
    '{"protocol":"tcp", "address":"kubernetes.default.svc.cluster.local","port":443}'

ziti edge create service "router-cluster" \
    --configs router-cluster-i,router-cluster-h

ziti edge create edge-router-policy "default" \
    --edge-router-roles '#all' --identity-roles '#all'

ziti edge create service-edge-router-policy "default" \
    --edge-router-roles '#all' --service-roles '#all'

 ziti edge create service-policy "router-cluster" Dial \
    --service-roles '@router-cluster' --identity-roles '#cluster-clients'

ziti edge create service-policy "router-cluster-b" Bind \
    --service-roles '@router-cluster' --identity-roles '#router-cluster'  

  ziti edge policy-advisor services router-cluster -q

Then in other network I installed kubeconfig and
under server field I replaced url with k8s.ziti.internal:443

I was able to telnet but if I run kubectl commands i get

E0706 13:22:36.022804   70399 memcache.go:265] couldn't get current server API group list: the server rejected our request for an unknown reason
E0706 13:22:36.086765   70399 memcache.go:265] couldn't get current server API group list: the server rejected our request for an unknown reason
E0706 13:22:36.149095   70399 memcache.go:265] couldn't get current server API group list: the server rejected our request for an unknown reason
E0706 13:22:36.209991   70399 memcache.go:265] couldn't get current server API group list: the server rejected our request for an unknown reason
Error from server (BadRequest): the server rejected our request for an unknown reason

sadath-12 · July 6, 2024, 3:27pm

ok by correcting the url to add https:// and running commands using --insecure-skip-tls-verify=true was able to access

qrkourier · July 7, 2024, 3:56pm

Cool. I think you needed skip tls verify because the DNS name doesn't match the Kube API server cert's DNS SANs. You can re-issue that Kube API server cert with the intercept DNS name you chose to resolve that problem with TLS verify enabled (ChatGPT instructions).

Another way is kubeztl which can replace kubectl for connecting to Kube API via OpenZiti.

Topic		Replies	Views
EKS Cluster Router :"failed to dial fabric Ziti Overlay	64	113	July 25, 2024
Need Guidance on Setting Up Multiple OpenZiti Routers and Identity Devices in EKS	4	26	August 9, 2024
Adding new router to ziti network fails Ziti Overlay	13	338	April 2, 2023
Tunneling into private router in k8s General Questions	8	76	June 20, 2024
Implementing an overlay network Ziti Overlay	10	260	May 1, 2023

How to access private eks cluster apiserver via openziti

Related topics