概述

原理

工具作用是建立了一個從本地到集群的單向VPN，根據VPN原理，打通兩個內網必然需要借助一個公共中繼節點，ktconnect工具巧妙的利用k8s原生的portforward能力，簡化了建立連接的過程，apiserver間接起到了中繼節點的作用。

場景：

研發本地訪問測試環境用于調整測試業務程序。研發本地訪問生產環境用于排查故障

兩種模式：

?架構圖

客戶端安裝

下載安裝包

kt-connect/docs/zh-cn/guide/downloads.md at master · alibaba/kt-connect · GitHub

根據提示選擇不同的客戶端就好了，這里我是win直接運行命令?

C:\Users\shuaige\Desktop\離線包\k8s>ktctl.exe --version
ktctl version 0.3.7

配置ktctl的環境變量?

按Win+R輸入sysdm.cpl打開系統屬性 → 高級 → 環境變量。

變量

變量名：KUBERNETES_MASTER  
變量值：https://10.10.101.35:6443

驗證配置

# 運行命令
echo %KUBERNETES_MASTER%# 返回結果
https://10.10.101.35:6443

變量

變量名：KUBECONFIG  
變量值：C:\Users\<用戶名>\.kube\config  

配置變量

準備配置文件

將集群的kubeconfig文件（如admin.conf）復制到C:\Users\<用戶名>\.kube\config

~]# cat /etc/kubernetes/admin.conf
apiVersion: v1
clusters:
- cluster:certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJTC9Ia0c4WEc3cHN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TlRBMU1qZ3dPREUwTlRSYUZ3MHpOVEExTWpZd09ERTVOVFJhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUROcFljanplYUJmYUdnM3JMVFJEcWV5RHl3OHROUnN0YUoyVUYrcTZMN0p0UnVjQ3pqekJ4b66666666666666666666888888888888888888888888vTUIwR0ExVWREZ1FXQkJRQS9jV3hTQ1AvV2plRklsd0l6MmF6eG4xem1UQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQjh2dW1aWDNGVQp2L3RmcDBTZG5pK0g1RG9FWGRNb2dtZ1NLTHhIK2pCd0dZazJVVnNJUS9yUE5Ja3Z4UGRSbnpSY0lkQ3RkNktZCjhJUVRDZVZDejVXM3AwM1RSVWtxcy8xUWxmOGkyL3ZuUXNaaTJRbmRzTkJKVDBhMllGWFQ4ZVBYeVV1MzJCR3YKVW44RkJvTkYwKzNBZzFpZldIOWhzYjhnZ3BsbVJ4S1FmOXpEaEJ5a0N5a0Z4d1NwdW9CWkYza3MzVUwzRUVpZQptZWZxK215YUVvNVlORXFUbFoyQ3FHV1lwS1RoNFRQVkZTYlh4eEZkYTJEYmxTcGR6Mmk0bysxNmlxNzlqa0tFCmtOcGdsWDQ0UG9aWkdNeFBuWTYrVlE5OG5YMFp4WWV4VmtBclJlMlJxV291QjlWbXhjWkFlS1pYVmk3bjJ5d20KcWVKVms4TFNtdFo3Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0Kserver: https://10.10.101.35:6443name: cluster.local
contexts:
- context:cluster: cluster.localuser: kubernetes-adminname: kubernetes-admin@cluster.local
current-context: kubernetes-admin@cluster.local
kind: Config
preferences: {}
users:
- name: kubernetes-adminuser:client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZ666666666666666666666666666666777777777777778888888888888888888R0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDeGRSYTYKcnhRUkpmY0xXYVNIZ3NKbzBnOGNYMFp0eERxeG1pL0t2U2J6UzdSV25iblBsUDV4aTlWRkdVcGZVbSt4MktnQgp5cVVhbXpPM3BUcm01SmJuTEdhN2VQVVdWYXdWSUh2V0puN3FHd2NwK2lyVTVaMGMzWjUvc3FXaEZoTnBxVHlkCktESjIwcDFyQy9yWGxPcDR1Ry9kQkhSQ3hWaloxQitWcEd1MjFwMWU4dGhNeE5uRkNwaGFUV3VaVkc4cGVWdkEKRlJTMUdoM3p6emJOTFU3L3lHVFZHelVpUFhKOTVYNSs3WW10SHFkc3dCYjZiQmJ1234567890BHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUIvYlZLWDIrTGE0NnF6czNlOTNXME1WYXBqClNlcmdiSjR3SXJvTlBwSW03QUp6dWREdjlQL0xYRm1xeUppS1QxQVhuWmpVZWhuanVrMFhSWWI4QldOT1VYdW8KbWc0RkdBUUFoMmpzVTVjSHFrVUNUaVBmTVJO6666666666666666666666666666666666666666666666666666666666666CZ0xQQlR2T3RiMWlQZThlOXlYdDFoNzVDCkRoM0Q5Q3M4UXlLOGoyRnk1QjZjVW5CWFdEL3YzdWpoQ3Jpc2o3YjVaNk1uNWFNeVJDY3FlOTIzc21wSWJkdmcKWWU3VWI5dUU5ZGs4REhzOE52UXFnZ0ZQRnNlYnFKSGZ1bEJ0eTY2bEtReXR0SWlpcEhab1ZqMytnSzkwCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0Kclient-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSB888888888888888888888888888Bc1hVV3VxOFVFU1gzQzFta2g0TENhTklQSEY5R2JjUTZzWm92eXIwbTgwdTBWcDI1Cno1VCtjWXZWUlJsS1gxSnZzZGlvQWNxbEdwc3p0NlU2NXVTVzV5eG11M2oxRmxXc0ZTQjcxaVorNmhzSEtmb3EKMU9XZEhOMmVmN0tsb1JZVGFhazhuU2d5ZHRLZGF3djYxNVRxZUxodjNRUjBRc1ZZMmRRZmxhUnJ1234567890Vc0eDAwODAzOE1KeG0wbVdIZ3VlSVJFcWRkNTFvMHNPTm0KQWUrcThhV1dGZjVONHFjdmFDN3pPTmlOdmIzYXVOVzQwMVRONWZ1QXBUMm15eElwVWFvYTV6MGlPTHAwNVhRMQpjUW53YjVSUHhKaXNBVFhhTEdPNm16UVRhRHd2SWpZWDFWRVpuTTlILzY0N2IyRG96dkR4T2VkREFvYU4zNmpNCkZEN1E2aWE3VmhCb0MzaVViT25GTGRkbGhndjZ4TktFbjhlVHdJTWpTSGw123456789000000000000000011111111111111111111111111111111111mh4VFNoa1FLQmdHNGJpcndOYTIrZXYxSVJKN0ZnVjkwdk9mVUVKLzNobk8zK2JTajkKMVAvQ2tIUGVqY2dhY2pCREdQVEg1VnFzb2hreFN3TGQ5WnFUYTZldFJKdDNWUzMwZ2h5YkVJVUlkNzBqSlhScwpBUFc2anpWZ3U1czE0cHh1b1ZhSzU3T1AxRFJWVitSRGlvZDM3MkJMZ01qeXRzTW1wYXR0OURzeUVEbEZRWG54CkhHM2hBb0dCQUlzWEhDVmNoL0ltNWI2SnlHaXlqMlN3T0pVaXIvU25wN0kwVm1rbDVFNFIxL1drQmExL0hSNUEKNlhIWFJBTDhuU2ExUXBpVGVWc010QjY1dnY1cFJTN1ZQWTVhUi9vM0Jnb1VUKzFpT1MxS2U0VllHdjBZWktFcwpyOTFlc0t4aFAwbWZDM1hXRGNLRnViYVk4ZUdOek9KM1dmT0dla1UzSHp2N21QZm5USzdHCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

啟動客戶端

開起ktctl.exe 服務

C:\Users\shuaige\Desktop\離線包\k8s>ktctl.exe connect
6:35PM INF Using cluster context kubernetes-admin@cluster.local (cluster.local)
6:35PM INF KtConnect 0.3.7 start at 144 (windows amd64)
6:35PM INF Fetching cluster time ...
6:35PM INF Fetching cluster time ...
6:35PM INF Fetching cluster time ...
6:35PM INF Fetching cluster time ...
6:35PM INF Fetching cluster time ...
6:35PM INF Fetching cluster time ...

這時k8s服務端會運行一個pod容器

]# kubectl get pods -o wide
NAME                             READY   STATUS             RESTARTS        AGE    IP             NODE                                      NOMINATED NODE   READINESS GATES
kt-rectifier-56666             0/1     ImagePullBackOff   0               69s    10.233.109.5   test-010010101027  <none>           <none>

拉取鏡像失敗，在pod中找到配置的鏡像地址，修改成私有倉庫地址，查看pod已經running運行了。

kubectl edit pod kt-rectifier-czhqm# 大概在27行的位置27     image: registry.cn-hangzhou.aliyuncs.com/rdc-incubator/kt-connect-shadow:v0.3.7# 修改成私有地址27     image: harbor.aliyun.com/repo/kt-connect-shadow:v0.3.7NAME                     READY   STATUS    RESTARTS   AGE
pod/kt-rectifier-6666   1/1     Running   0          11m

運行命令啟動工具

# 運行命令
ktctl connect -i harbor.aliyun.cn/repo/kt-connect-shadow:v0.3.7# 返回結果
6:54PM INF Using cluster context kubernetes-admin@cluster.local (cluster.local)
6:54PM INF KtConnect 0.3.7 start at 14048 (windows amd64)
6:54PM INF Fetching cluster time ...
6:54PM INF Using tun2socks mode
6:54PM INF Successful create config map kt-connect-shadow-froxd
6:54PM INF Deploying shadow pod kt-connect-shadow-froxd in namespace default
6:54PM INF Waiting for pod kt-connect-shadow-froxd ...
6:55PM INF Pod kt-connect-shadow-froxd is ready
6:55PM INF Port forward local:13003 -> pod kt-connect-shadow-froxd:22 established
6:55PM INF Socks proxy established
2025/06/05 18:55:04 Installing driver 0.14
2025/06/05 18:55:04 Extracting driver
2025/06/05 18:55:04 Installing driver
2025/06/05 18:55:05 Creating adapter
6:55PM INF Tun device KtConnectTunnel is ready
6:55PM INF Adding route to 10.233.0.0/16
6:55PM INF Adding route to 10.10.101.128/25
6:55PM INF Adding route to 10.10.101.64/26
6:55PM INF Adding route to 10.10.101.0/27
6:55PM INF Adding route to 10.10.101.48/28
6:55PM INF Adding route to 10.10.101.40/29
6:55PM INF Adding route to 10.10.101.36/30
6:55PM INF Adding route to 10.10.101.32/31
6:55PM INF Adding route to 10.10.101.34/32

查看現有集群的中的業務

 kubectl get pods -o wide# 查看返回
nginx-6474b87897-6666          1/1     Running   0               86m     10.233.109.4   test-010010101027-security-cm5   <none>           <none>

驗證是否連接集群成功

默認如果不用這個工具連接集群，集群內資源是無法訪問的，無法做到本地和集群內業務程序之間聯調測試 ，這個地址是 10.233.109.4 k8s內網的虛擬IP地址。

現在連接工具后，可以在本地電腦直接訪問到K8s內網的虛擬IP地址，等于和k8s網絡環境是一致的。