Currently, when Rancher tries to provision a Kubernetes cluster on vSphere, it needs to initiate API calls to the vSphere endpoint. In a hybrid cloud environment this often means that the Rancher server is not in the same network as the vSphere endpoint. Therefore inbound access is required to be added to a firewall so Rancher can reach the vSphere system. This naturally poses a security concern and creates administrative burden on our users who have to go through a security review to get this approved.
If instead of requiring direct API access, an agent could exist inside the network where the vSphere API lived, then this agent could broker the communication between the Rancher server and the downstream API. The agent would simply initiate an outbound API connection to the Rancher server (much like any node agent or cluster agent currently) and simultaneously proxy any API calls that Rancher needs to make to vSphere. This would also have the benefit of being able to be run through a HTTP proxy, which many security teams will appreciate as a less risky connectivity model.
No Hackers yet
This project is part of:
Hack Week 20
Activity
Comments
Be the first to comment!
Similar Projects
Rancher Manager of Managers with KCP by rcase
[comment]: # (Please use the project descriptio...
K3S Control Planes as a service by ademicev0
[comment]: # (Please use the project descriptio...
Rancher QA Blog Space by jamcghee
[comment]: # (Please use the project descriptio...
image-tools: simple tool for mirror/save/load container images & KDM and chart image list generator. by StarryWang
[comment]: # (Please use the project descriptio...
Deploy Uyuni proxy using Elemental and Fleet by cbosdonnat
Project Description
Now that Uyuni proxy ...
Improve error handling of the '/search' API endpoints of OBS by enavarro_suse
Project Description
Improve error handlin...
Vai: a Kubernetes API accelerator/cache by moio
![Kubernetes API caching layer according to Sta...