Kubernetes Egress traffic with static ip on DigitalOcean with Socks5 Proxy¶

How to use a Socks5 Proxy for Kubernetes Egress in DigitalOcean

What is SOCKS¶

https://en.wikipedia.org/wiki/SOCKS

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS operates on Layer 5 of the OSI model.

VPC NAT gateway (not supported)¶

DigitalOcean doesn't support a NAT gateway for VPCs

Options¶

DigitalOcean static-routes operator¶

• TODO: Diagram, pros/cons

One of the ways to route all egress traffic is by using the DigitalOcean operator for updating iptables rules on the kubernetes nodes

• Configure Droplet as gateway
• How to route web traffic securely without a VPN using a Socks tunnel
• Setting up DOKS Egress gateway with Crossplane and Static Routes Operator

HTTP(S) proxy¶

• TODO: Diagram, pros/cons

If you only want to proxy HTTP/HTTPS traffic you can use a reverse proxy

Socks proxy¶

• TODO: Diagram, pros/cons

Installation¶

• https://ma.ttias.be/socks-proxy-linux-ssh-bypass-content-filters/

Proxy VM¶

Create a VM¶

Configue firewall¶

• https://docs.digitalocean.com/products/networking/firewalls/how-to/configure-rules/

Outbound traffic over reserved IP¶

• https://docs.digitalocean.com/products/networking/reserved-ips/how-to/outbound-traffic/
• TODO: https://docs.digitalocean.com/products/networking/reserved-ips/how-to/outbound-traffic/

curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/gateway
sudo sh -c "ip route del 0/0; ip route add default via <anchor-gateway-IP-address> dev eth0"

User and access¶

ssh-keygen -t rsa -b 4096 -C "socks@example.com" -f socks_id_rsa
sudo adduser socks
sudo deluser socks sudo
sudo mkdir /home/socks/.ssh
sudo touch /home/socks/.ssh/authorized_keys
cat socks_id_rsa.pub
nano /home/socks/.ssh/authorized_keys

Socks tunnel¶

Create a socks tunnel with ssh

ssh -D 1080 -C -N -v  root@161.35.145.145
ssh -D 1080 -C -N -v -o StrictHostKeyChecking=no socks@10.133.55.68

Test if the tunnel works =)

curl --socks5 localhost https://api.ipify.org/
ALL_PROXY=socks5://localhost curl https://api.ipify.org/

kubectl run --rm -it --overrides='{ "spec": { "imagePullSecrets": [{"name": "hosst-registry-credentials"}] } }' --image registry.gitlab.com/hosstio/docker-images/socks-proxy/main test

Usage¶

Local¶

ssh -D 1080 -C -N -v socks@161.35.145.145
ALL_PROXY=socks5://localhost
curl https://api.ipify.org

Kubernetes Sidecar container¶

ALL_PROXY=socks5://localhost
NO_PROXY=ondigitalocean.com

kubectl create secret generic socks-ssh --from-file=id_rsa=socks_id_rsa --from-file=id_rsa.pub=socks_id_rsa.pub

volumes:
- name: socks-ssh
  secret:
    secretName: socks-ssh
    defaultMode: 256  # file mode: 400

volumeMounts:
- name: socks-ssh
  readOnly: true
  mountPath: "/root/.ssh"

Kubernetes Service¶