KinD, Docker Desktop and VPN

[jack1902]

What happened:

I have successfully created a kind cluster using the simple commands of kind create cluster which i can happily deploy pods too and happily get to the internet from within a container running within the kind node. My issue is that i am hoping to access private-ips which are added to my host' route tables (MacOS) by a Mesh Network VPN Client (Fortinet ZTNA / Fortinet VPN).

I can successfully get to the service exposed by the VPN Client on the following:

• MacOS web browser
• Container running within docker-desktop
• curl within the kind control-plane container running within docker-desktop

What you expected to happen:

I was hoping that i could simply do the following:

• Login to the VPN on the host (MacOS)
• Run kind create cluster
• Deploy a pod which has a container which needs to be able to access the service exposed over the VPN

Considering i can hit the service exposed by the VPN within a container running within the Linux VM which backs docker-desktop and even from the container which acts as the kind-control-plane, i assumed a container running inside of the kind-control-plane might of been able to reach the same service.

I might very well be missing something additional to configure to enable the private-ip to be accessible from within the container running inside of kind, inside of docker-dekstop (i appreciate this is a complex networking setup and not the usual path of running kind)

How to reproduce it (as minimally and precisely as possible):

• Have a VPN connection on the host which adds routes to the host' route-tables
• Deploy docker-desktop and kind
• Deploy a pod to kind which has a container attempting to reach the service behind the vpn-connection (the service is mapped to a private-ip)

Anything else we need to know?:

Environment:

• kind version: (use kind version): kind v0.18.0 go1.20.2 darwin/arm64
• Runtime info: (use docker info or podman info):
• OS (e.g. from /etc/os-release): MacOS 13.3.1
• Kubernetes version: (use kubectl version): Client Version: v1.25.4
• Any proxies or other special environment settings?: Fortinet VPN / Fortinet ZTNA

[jack1902]

To add, i checked some routes from the container running within the kind container and can now see the ip which maps to the service exposed by the VPN.

Even though the default route is present no matter what, seemed odd that only the container running inside kind had issues.

Issue has been addressed at the moment but will monitor it closely to see if the issue comes back after restarts etc

[aojea]

this is more a networking. problem than a kind problem

[BenTheElder]

KIND pod containers have "masqueraded" traffic that should appear as the "node" container IP, and exit the node container the same as any other traffic 🤔

To clarify: this VPN runs entirely on the host mac, nothing special in the docker desktop VM?

Can you try a pod with hostNetwork: true instead of on the kind node container directly?

[jack1902]

Will try this now as since restarting the issue has re-appeared.

annoyingly i can see a "route" with ip route get <IP>. It might be down to the application itself as curl for example from a container within a pod can get to the <IP>.

Will add hostNetwork: true to the pod and see if that changes things (hostNetwork would in this instance mean the kind-container within docker-desktop right?)

[jack1902]

Going to close this, as it is an issue within the application itself, not the networking or anything to do with Kind.

Seeing as curl consistently works within the running container i'm going to close this issue