This feature is available in Enterprise Edition only. It might significantly change in the future. Currently, it's not intended to be used without special assistance from Flant.

The openvpn module allows peers to authenticate each other using certificates and provides a simple web interface.

Using the web interface, you can:

  • issue certificates;
  • revoke certificates;
  • cancel certificate revocation;
  • get a ready-to-use custom configuration file.

The web interface is integrated with the user-authn module, allowing you to manage user access to this web interface.

Exposing the VPN service

Generally, one or more external IP addresses are used for a connection. The following connection methods are supported:

  • External IP-based (ExternalIP) — when there are nodes with public IPs.
  • LoadBalancer-based (LoadBalancer) — AWS, Google cloud and other LBs are supported.
  • Direct — for non-standard cases; this method allows you to manually configure the way traffic is routed from the cluster entry to the OpenVPN pod.

Available cluster resources after connecting to the VPN

The following parameters are pushed to the user’s computer after connecting to the VPN:

  • the kube-dns address is added to the client’s DNS servers to allow direct access to Kubernetes services via FQDN;
  • a route to the local network;
  • a route to the cluster service network;
  • a route to the pod network.