kuttle: kubectl wrapper for sshuttle without SSH
Kuttle allows you to easily get an access into your Kubernetes network environment. SSH access is not required, since kubectl
is used instead of ssh
.
In comparison with Telepresence, kuttle
only proxies Kubernetes network onto your local laptop.
Installation
Install sshuttle
following official documentation or use your distro's package manager:
- MacOS:
brew install sshuttle
- Debian/Ubuntu:
apt-get install sshuttle
- Fedora/RedHat/CentOS:
yum install sshuttle
Download kuttle:
wget https://github.com/kayrus/kuttle/raw/master/kuttle
chmod +x kuttle
Additionally you can place kuttle
into $PATH
How does it work?
Under the hood sshuttle
spawns a remote python oneliner that evaluates a server code, received via stdin
, which proxies the traffic. To get a connection to the remote server sshuttle
usually uses ssh
. kuttle
allows sshuttle
to use kubectl
without any ssh
dependencies.
Regular sshuttle process tree
$ pstree -pal `pidof -x sshuttle`
sshuttle,1489 /usr/bin/sshuttle -r remote.example.com 10.254.0.0/16
โโssh,1492 remote.example.com -- exec /bin/sh -c 'P=python3.5; $P -V 2>/dev/null || P=python; exec "$P" -c '"'"'import sys, os; verbosity=0; sys.stdin = os.fdopen(0, "rb"); exec(compile(sys.stdin.read(978), "assembler.py", "exec"))'"'"''
โโsudo,1490 -p [local sudo] Password: PYTHONPATH=/usr/lib/python3/dist-packages -- /usr/bin/python3 /usr/bin/sshuttle --method auto --firewall
โโpython3,1491 /usr/bin/sshuttle --method auto --firewall
sshuttle + kuttle process tree
$ pstree -pal `pidof -x sshuttle`
sshuttle,1538 /usr/bin/sshuttle -r kuttle -e kuttle 10.254.0.0/16
โโkubectl,1541 exec -i kuttle -- /bin/sh -c exec /bin/sh -c 'P=python3.5; $P -V 2>/dev/null || P=python; exec "$P" -c '"'"'import sys, os; verbosity=0; sys.stdin = os.fdopen(0, "rb"); exec(compile(sys.stdin.read(978), "assembler.py", "exec"))'"'"''
โ โโ{kubectl},1544
โ โโ{kubectl},1547
โ โโ{kubectl},1551
โ โโ{kubectl},1552
โ โโ{kubectl},1553
โ โโ{kubectl},1556
โ โโ{kubectl},1557
โ โโ{kubectl},1558
โโsudo,1539 -p [local sudo] Password: PYTHONPATH=/usr/lib/python3/dist-packages -- /usr/bin/python3 /usr/bin/sshuttle --method auto --firewall
โโpython3,1540 /usr/bin/sshuttle --method auto --firewall
Target Kubernetes pod requirements
Since sshuttle
uses python interpreter, python should be installed inside target pod's container.
Prior to version 0.78.2, sshuttle used netstat
to list routes. If your sshuttle
version is older than 0.78.2, you have to ensure that netstat
CLI is also installed inside pod's container.
Simple alpine container with a minimal python is enough for kuttle
. You can use the kubectl
command below in order to spawn ready-to-use pod as a VPN server:
kubectl run kuttle --image=alpine:latest --restart=Never -- sh -c 'apk add python3 --update && exec tail -f /dev/null'
sshuttle -r kuttle -e kuttle 0.0.0.0/0
Examples
Route local requests to the 10.254.0.0/16
subnet via pod-with-python
pod in your Kubernetes cluster:
sshuttle -r '--context my-context --namespace default pod-with-python' -e /path/to/kuttle 10.254.0.0/16
Use your Kubernetes pod as a VPN server with DNS requests being resolved by pod:
sshuttle --dns -r '--context my-context --namespace default pod-with-python' -e /path/to/kuttle 0.0.0.0/0
If you already have set kubectl
defaults and placed kuttle
in $PATH
, just specify the pod name:
sshuttle --dns -r pod-with-python -e kuttle 0.0.0.0/0
Credits
Thanks to sshuttle authors and @databus23 for getting me inspired.