SOLVED Connecting to Kubernetes cluster with Lens?

[Daisuke]

I would like to connect to Kubernetes running on Scale, with Lens. Output from my Mac, uranus.lan is the Scale server:

Code:

$ host uranus
uranus.lan has address 192.168.1.8

$ kubectl version -o json
{
  "clientVersion": {
    "major": "1",
    "minor": "25",
    "gitVersion": "v1.25.3",
    "gitCommit": "434bfd82814af038ad94d62ebe59b133fcb50506",
    "gitTreeState": "clean",
    "buildDate": "2022-10-12T10:47:25Z",
    "goVersion": "go1.19.2",
    "compiler": "gc",
    "platform": "darwin/amd64"
  },
  "kustomizeVersion": "v4.5.7"
}
The connection to the server localhost:8080 was refused - did you specify the right host or port?

k8 ports on Scale:

Code:

# netstat -tulpn | egrep 'kube|k3s'
tcp        0      0 127.0.0.1:10248         0.0.0.0:*               LISTEN      16127/k3s server
tcp        0      0 127.0.0.1:6444          0.0.0.0:*               LISTEN      16127/k3s server
tcp        0      0 127.0.0.1:10257         0.0.0.0:*               LISTEN      16127/k3s server
tcp        0      0 192.168.1.8:179         0.0.0.0:*               LISTEN      18655/kube-router
tcp        0      0 127.0.0.1:10259         0.0.0.0:*               LISTEN      16127/k3s server
tcp        0      0 127.0.0.1:43797         0.0.0.0:*               LISTEN      16127/k3s server
tcp        0      0 127.0.0.1:50051         0.0.0.0:*               LISTEN      18655/kube-router
tcp        0      0 192.168.1.8:50051       0.0.0.0:*               LISTEN      18655/kube-router
tcp6       0      0 :::10250                :::*                    LISTEN      16127/k3s server
tcp6       0      0 :::6443                 :::*                    LISTEN      16127/k3s server
tcp6       0      0 ::1:179                 :::*                    LISTEN      18655/kube-router
tcp6       0      0 :::20244                :::*                    LISTEN      18655/kube-router

How do I generate the .kube/config file on my Mac? This way I don't have to port forward anything.
I see port 179 and 50051, I presume one of these ports should be used for forwarding?

 

[blacktide]

There are two iptables rules you have to remove first. Run the following:

Code:

iptables -L INPUT --line-numbers

You should see an output like the following:

Code:

Chain INPUT (policy ACCEPT)
num  target               prot opt source       destination 
1    KUBE-ROUTER-INPUT    all  --  anywhere     anywhere     /* kube-router netpol - 4IA2OSFRMVNDXBVV */
2    KUBE-ROUTER-SERVICES all  --  anywhere     anywhere     /* handle traffic to IPVS service IPs in custom chain */ match-set kube-router-service-ips dst
3    KUBE-FIREWALL        all  --  anywhere     anywhere    
4    ACCEPT               tcp  --  192.168.1.4  anywhere     tcp dpt:6443 /* iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections */
5    ACCEPT               tcp  --  localhost    anywhere     tcp dpt:6443 /* iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections */
6    DROP                 tcp  --  anywhere     anywhere     tcp dpt:6443 /* iX Custom Rule to drop connection requests to k8s cluster from external sources */
7    ACCEPT               tcp  --  192.168.1.4  anywhere     tcp dpt:6443 /* iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections */
8    ACCEPT               tcp  --  localhost    anywhere     tcp dpt:6443 /* iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections */
9    DROP                 tcp  --  anywhere     anywhere     tcp dpt:6443 /* iX Custom Rule to drop connection requests to k8s cluster from external sources */

You need to delete the two DROP rules (6 and 9). You can do that by running the following:

Code:

iptables -D INPUT 9
iptables -D INPUT 6

Afterwards copy the /etc/rancher/k3s/k3s.yaml file to your computer at the path ~/.kube/config. Then update that file, changing the server IP address (127.0.0.1:6443) to the external IP address of your TrueNAS host. Then you should be able to use kubectl and Lens from your local computer.

 

[Daisuke]

Amazing info @blacktide, I'm going to try convincing IX this should make it into a some sort of setting for advanced users. I updated NAS-119273.

I could actually modify the table to accept connections from a specific subnet, instead of just 192.168.1.8:

Code:

# iptables -L INPUT -n --line-numbers
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    KUBE-ROUTER-INPUT  all  --  0.0.0.0/0            0.0.0.0/0            /* kube-router netpol - 4IA2OSFRMVNDXBVV */
2    KUBE-ROUTER-SERVICES  all  --  0.0.0.0/0            0.0.0.0/0            /* handle traffic to IPVS service IPs in custom chain */ match-set kube-router-service-ips dst
3    KUBE-FIREWALL  all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     tcp  --  192.168.1.8          0.0.0.0/0            tcp dpt:6443 /* iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections */
5    ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0            tcp dpt:6443 /* iX Custom Rule to allow access to k8s cluster from internal TrueNAS connections */
6    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:6443 /* iX Custom Rule to drop connection requests to k8s cluster from external sources */

# iptables -R INPUT 4 -s 192.168.0.0/16 -j ACCEPT

So much easier to troubleshoot issues now.

 

[sretalla]

I note that TrueCharts has provided an app for Portainer which connects to the K8s cluster now and doesn't require the changes to security, so maybe that would be a simpler option.

 

[Daisuke]

I’ll check it out, but I prefer the ease of Lens. I still think we should have an option in Scale, allowing access to Kubernetes cluster. So I can choose whatever tools I like.