Kubernetes Morpheus Agent for Clusters behind FW

Right now to onboard a K8s cluster into Morpheus we have to expose the K8s API. This poses security challenges for Clusters behind a FW, especially in Multi Tenant Setups. It would be better if a Morpheus Agent either on the nodes or on a separate server like the Distributed worker could be used to act as an intermediate. This could make use of the same Morpheus Command Bus, which allows to start a connection from within a sensitive environment (I.e. Pull) instead of an external entity having to push commands into the sensitive environment.

Example/Use case(s):
Kubernetes Cluster behind FW or on sensitive Network.

Current Flow:
Morpheus → Exposed K8s API (push)

Better flow
Morpheus agent → polls Morpheus central for new commands to execute (pull)

Hi @marcel.rummens

This is already in the product. If you edit a cluster you have this option:


This was added in v6.3.2 and will be merged into the LTS this month on 7.0.0

Additionally, agent comms going over the distributed worker has existed, but the appliance URL on the cloud needs to point to the worker. Depending on your version of worker, you may need to upgrade it.

I’m going to set this to auto-close end of week if that fulfills this request.

Ohh I have missed that, thanks!

Can you run an agent on CoreOS (OpenShift)? The OS is not exactly standard.

Can you point me anywhere to setup the Worker? My last info was that it was not supported for HyperV, so I didn’t look into it closer.

Agent comms should work regardless of the cloud. However, I don’t see SCVMM on the cloud sync options (and I don’t have an environment at the moment to test).

That said, SCVMM may now work since it relies on the agent and agent comms can work over the distributed worker now.

Here’s the doc:


or I utilize the helm chart:

Sorry for the maybe stupid question but I didn’t fully get it. As I see it we have two options:

Option 1
We would deploy the K8s/OpenShift Cluster (probably by creating a Prov Flow and extending the Kubernetes Cluster Type). Then after the Cluster is up we install the Distributed Worker as a Container on it. But how do I tell the Agent that it’s supposed to proxy a connection from Cluster X, if all I have is the Morpheus API Key?

Option 2
We pre-deploy the Distributed Worker and create a new Cloud (SCVMM in our Case), linking them both together. Then using this Cloud we create the K8s Cluster (same logic as above). Then we provide Morpheus the internal IP/DNS Record of the Cluster (i.e. one that is not exposed to Morpheus Core) and then Morpheus will proxy through the Agent?

I will upgrade an instance to 6.3.4 to test all of this.

This topic was automatically closed after 4 days. New replies are no longer allowed.