Double Checking How Kubernetes Works

[Noah-Huppert]

In the wiki there are instructions for using network_stack to link a container to the VPN container. I was wondering if there is anything similar that needs to happen for Kubernetes when running Glueten as a sidecar container in a pod.

I want to be sure before I start running traffic on my Kubernetes server, so I don't accidentally leak any data out through a non VPN route.

My understanding is that containers in the same pod share the same networking namespace. Which is essentially what the network_mode: "service:gluten" option does? So Gluten should just work as a Kubernetes pod sidecar container?

Additional thought: Has anyone tried using Kubernetes Network Policies on a pod to ensure that traffic only goes through the VPN?

[renannprado]

I'm also interested. Have you find the answer @Noah-Huppert? I hanve't done that yet, but my plan is to apply policies with Calico.

[Noah-Huppert]

@renannprado Oh shoot sorry for not updating this thread with my solution. Basically what I learned is that within a Kubernetes pod all stuff related networking is shared between containers (at least using Digital Ocean managed k8s which I believe uses Cilium). This means if you run Glutun as one of the containers in your pod, other containers will only be able to send traffic via the VPN.

I used Kubernetes network policies just as an extra safety net in case the VPN shut down.

Here is a link to the Kustomize stack I made which runs qBittorrent and Glutun. This is specifically how I ran Glutun and here is where I setup a network policy only allowing VPN traffic. I obtained the IPs in the network policy using these steps.

[renannprado]

Wow. That's some good stuff. I'll have a look, thanks!

[enzanto]

Hi! i just stumbled over this docker image, and had to dive straight in to learning how to apply it in my cluster properly. From kubernetes v1.28 it should be used as a native sidecar. As long as the sidecar is active it blocks the traffic from the main container (even before it connects to vpn). I did a short write up here. I am planning to also make a pull request in to the wiki here with the same info.