概述
原理
工具作用是建立了一个从本地到集群的单向VPN,根据VPN原理,打通两个内网必然需要借助一个公共中继节点,ktconnect工具巧妙的利用k8s原生的portforward能力,简化了建立连接的过程,apiserver间接起到了中继节点的作用。
场景:
研发本地访问测试环境用于调整测试业务程序。研发本地访问生产环境用于排查故障
两种模式:
架构图
客户端安装
下载安装包
kt-connect/docs/zh-cn/guide/downloads.md at master · alibaba/kt-connect · GitHub
根据提示选择不同的客户端就好了,这里我是win直接运行命令
C:\Users\shuaige\Desktop\离线包\k8s>ktctl.exe --version
ktctl version 0.3.7配置ktctl的环境变量
按Win+R输入sysdm.cpl打开系统属性 → 高级 → 环境变量。
变量
变量名:KUBERNETES_MASTER
变量值:https://10.10.101.35:6443
验证配置
# 运行命令
echo %KUBERNETES_MASTER%
# 返回结果
https://10.10.101.35:6443变量
变量名:KUBECONFIG
变量值:C:\Users\<用户名>\.kube\config
配置变量
准备配置文件
将集群的kubeconfig文件(如admin.conf)复制到C:\Users\<用户名>\.kube\config
~]# cat /etc/kubernetes/admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJTC9Ia0c4WEc3cHN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TlRBMU1qZ3dPREUwTlRSYUZ3MHpOVEExTWpZd09ERTVOVFJhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUROcFljanplYUJmYUdnM3JMVFJEcWV5RHl3OHROUnN0YUoyVUYrcTZMN0p0UnVjQ3pqekJ4b66666666666666666666888888888888888888888888vTUIwR0ExVWREZ1FXQkJRQS9jV3hTQ1AvV2plRklsd0l6MmF6eG4xem1UQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQjh2dW1aWDNGVQp2L3RmcDBTZG5pK0g1RG9FWGRNb2dtZ1NLTHhIK2pCd0dZazJVVnNJUS9yUE5Ja3Z4UGRSbnpSY0lkQ3RkNktZCjhJUVRDZVZDejVXM3AwM1RSVWtxcy8xUWxmOGkyL3ZuUXNaaTJRbmRzTkJKVDBhMllGWFQ4ZVBYeVV1MzJCR3YKVW44RkJvTkYwKzNBZzFpZldIOWhzYjhnZ3BsbVJ4S1FmOXpEaEJ5a0N5a0Z4d1NwdW9CWkYza3MzVUwzRUVpZQptZWZxK215YUVvNVlORXFUbFoyQ3FHV1lwS1RoNFRQVkZTYlh4eEZkYTJEYmxTcGR6Mmk0bysxNmlxNzlqa0tFCmtOcGdsWDQ0UG9aWkdNeFBuWTYrVlE5OG5YMFp4WWV4VmtBclJlMlJxV291QjlWbXhjWkFlS1pYVmk3bjJ5d20KcWVKVms4TFNtdFo3Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://10.10.101.35:6443
name: cluster.local
contexts:
- context:
cluster: cluster.local
user: kubernetes-admin
name: kubernetes-admin@cluster.local
current-context: kubernetes-admin@cluster.local
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZ666666666666666666666666666666777777777777778888888888888888888R0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDeGRSYTYKcnhRUkpmY0xXYVNIZ3NKbzBnOGNYMFp0eERxeG1pL0t2U2J6UzdSV25iblBsUDV4aTlWRkdVcGZVbSt4MktnQgp5cVVhbXpPM3BUcm01SmJuTEdhN2VQVVdWYXdWSUh2V0puN3FHd2NwK2lyVTVaMGMzWjUvc3FXaEZoTnBxVHlkCktESjIwcDFyQy9yWGxPcDR1Ry9kQkhSQ3hWaloxQitWcEd1MjFwMWU4dGhNeE5uRkNwaGFUV3VaVkc4cGVWdkEKRlJTMUdoM3p6emJOTFU3L3lHVFZHelVpUFhKOTVYNSs3WW10SHFkc3dCYjZiQmJ1234567890BHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUIvYlZLWDIrTGE0NnF6czNlOTNXME1WYXBqClNlcmdiSjR3SXJvTlBwSW03QUp6dWREdjlQL0xYRm1xeUppS1QxQVhuWmpVZWhuanVrMFhSWWI4QldOT1VYdW8KbWc0RkdBUUFoMmpzVTVjSHFrVUNUaVBmTVJO6666666666666666666666666666666666666666666666666666666666666CZ0xQQlR2T3RiMWlQZThlOXlYdDFoNzVDCkRoM0Q5Q3M4UXlLOGoyRnk1QjZjVW5CWFdEL3YzdWpoQ3Jpc2o3YjVaNk1uNWFNeVJDY3FlOTIzc21wSWJkdmcKWWU3VWI5dUU5ZGs4REhzOE52UXFnZ0ZQRnNlYnFKSGZ1bEJ0eTY2bEtReXR0SWlpcEhab1ZqMytnSzkwCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSB888888888888888888888888888Bc1hVV3VxOFVFU1gzQzFta2g0TENhTklQSEY5R2JjUTZzWm92eXIwbTgwdTBWcDI1Cno1VCtjWXZWUlJsS1gxSnZzZGlvQWNxbEdwc3p0NlU2NXVTVzV5eG11M2oxRmxXc0ZTQjcxaVorNmhzSEtmb3EKMU9XZEhOMmVmN0tsb1JZVGFhazhuU2d5ZHRLZGF3djYxNVRxZUxodjNRUjBRc1ZZMmRRZmxhUnJ1234567890Vc0eDAwODAzOE1KeG0wbVdIZ3VlSVJFcWRkNTFvMHNPTm0KQWUrcThhV1dGZjVONHFjdmFDN3pPTmlOdmIzYXVOVzQwMVRONWZ1QXBUMm15eElwVWFvYTV6MGlPTHAwNVhRMQpjUW53YjVSUHhKaXNBVFhhTEdPNm16UVRhRHd2SWpZWDFWRVpuTTlILzY0N2IyRG96dkR4T2VkREFvYU4zNmpNCkZEN1E2aWE3VmhCb0MzaVViT25GTGRkbGhndjZ4TktFbjhlVHdJTWpTSGw123456789000000000000000011111111111111111111111111111111111mh4VFNoa1FLQmdHNGJpcndOYTIrZXYxSVJKN0ZnVjkwdk9mVUVKLzNobk8zK2JTajkKMVAvQ2tIUGVqY2dhY2pCREdQVEg1VnFzb2hreFN3TGQ5WnFUYTZldFJKdDNWUzMwZ2h5YkVJVUlkNzBqSlhScwpBUFc2anpWZ3U1czE0cHh1b1ZhSzU3T1AxRFJWVitSRGlvZDM3MkJMZ01qeXRzTW1wYXR0OURzeUVEbEZRWG54CkhHM2hBb0dCQUlzWEhDVmNoL0ltNWI2SnlHaXlqMlN3T0pVaXIvU25wN0kwVm1rbDVFNFIxL1drQmExL0hSNUEKNlhIWFJBTDhuU2ExUXBpVGVWc010QjY1dnY1cFJTN1ZQWTVhUi9vM0Jnb1VUKzFpT1MxS2U0VllHdjBZWktFcwpyOTFlc0t4aFAwbWZDM1hXRGNLRnViYVk4ZUdOek9KM1dmT0dla1UzSHp2N21QZm5USzdHCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==启动客户端
开起ktctl.exe 服务
C:\Users\shuaige\Desktop\离线包\k8s>ktctl.exe connect
6:35PM INF Using cluster context kubernetes-admin@cluster.local (cluster.local)
6:35PM INF KtConnect 0.3.7 start at 144 (windows amd64)
6:35PM INF Fetching cluster time ...
6:35PM INF Fetching cluster time ...
6:35PM INF Fetching cluster time ...
6:35PM INF Fetching cluster time ...
6:35PM INF Fetching cluster time ...
6:35PM INF Fetching cluster time ...这时k8s服务端会运行一个pod容器
]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
kt-rectifier-56666 0/1 ImagePullBackOff 0 69s 10.233.109.5 test-010010101027 <none> <none>拉取镜像失败,在pod中找到配置的镜像地址,修改成私有仓库地址,查看pod已经running运行了。
kubectl edit pod kt-rectifier-czhqm
# 大概在27行的位置
27 image: registry.cn-hangzhou.aliyuncs.com/rdc-incubator/kt-connect-shadow:v0.3.7
# 修改成私有地址
27 image: harbor.aliyun.com/repo/kt-connect-shadow:v0.3.7
NAME READY STATUS RESTARTS AGE
pod/kt-rectifier-6666 1/1 Running 0 11m运行命令启动工具
# 运行命令
ktctl connect -i harbor.aliyun.cn/repo/kt-connect-shadow:v0.3.7
# 返回结果
6:54PM INF Using cluster context kubernetes-admin@cluster.local (cluster.local)
6:54PM INF KtConnect 0.3.7 start at 14048 (windows amd64)
6:54PM INF Fetching cluster time ...
6:54PM INF Using tun2socks mode
6:54PM INF Successful create config map kt-connect-shadow-froxd
6:54PM INF Deploying shadow pod kt-connect-shadow-froxd in namespace default
6:54PM INF Waiting for pod kt-connect-shadow-froxd ...
6:55PM INF Pod kt-connect-shadow-froxd is ready
6:55PM INF Port forward local:13003 -> pod kt-connect-shadow-froxd:22 established
6:55PM INF Socks proxy established
2025/06/05 18:55:04 Installing driver 0.14
2025/06/05 18:55:04 Extracting driver
2025/06/05 18:55:04 Installing driver
2025/06/05 18:55:05 Creating adapter
6:55PM INF Tun device KtConnectTunnel is ready
6:55PM INF Adding route to 10.233.0.0/16
6:55PM INF Adding route to 10.10.101.128/25
6:55PM INF Adding route to 10.10.101.64/26
6:55PM INF Adding route to 10.10.101.0/27
6:55PM INF Adding route to 10.10.101.48/28
6:55PM INF Adding route to 10.10.101.40/29
6:55PM INF Adding route to 10.10.101.36/30
6:55PM INF Adding route to 10.10.101.32/31
6:55PM INF Adding route to 10.10.101.34/32查看现有集群的中的业务
kubectl get pods -o wide
# 查看返回
nginx-6474b87897-6666 1/1 Running 0 86m 10.233.109.4 test-010010101027-security-cm5 <none> <none>验证是否连接集群成功
默认如果不用这个工具连接集群,集群内资源是无法访问的,无法做到本地和集群内业务程序之间联调测试 ,这个地址是 10.233.109.4 k8s内网的虚拟IP地址。
现在连接工具后,可以在本地电脑直接访问到K8s内网的虚拟IP地址,等于和k8s网络环境是一致的。
