Can I expose the k8s control plane itself?

[russorat]

Description

My main question is this, the ingress controller is great for exposing a Kubernetes service, but is there a clean/recommended way to expose the control plane itself? Ideally, I'd love to run kubectl commands outside of my home network on my home cluster, using ngrok. Also would love to deploy to my home cluster with a CICD tool like CircleCI. If you have some time, please let me know your thoughts. Again, thanks for the service!

Use Case

No response

Related issues

No response

[jrobsonchase]

I've managed to get this working with a TLS edge and the following tunnel resource definition:

apiVersion: ingress.k8s.ngrok.com/v1alpha1
kind: Tunnel
metadata:
  finalizers:
  - k8s.ngrok.com/finalizer
  name: k8s-control
  namespace: ngrok-ingress-controller
  resourceVersion: "900"
spec:
  backend:
    protocol: TCP
  forwardsTo: kubernetes.default.svc:443
  labels:
    edge: k8s-control # replace with your label as needed

The TLS edge needs to have TLS termination set to "pass through", since mutual tls is generally how clients are authenticated:

and you need to tell kubectl to skip verification of the server certificate via either the insecure-skip-tls-verify cluster setting in the kubeconfig file, or via the --insecure-skip-tls-verify cli option. This is because the server certificate common name won't match the ngrok domain that the client connects to.

[jrobsonchase]

This is soon to get even easier with first-class TLS edge support. Stay tuned!

[CK-Ward]

TLS Edge support is complete.