Kubernetes Morpheus Agent for Clusters behind FW

marcel.rummens · March 10, 2024, 11:32am

Description:
Right now to onboard a K8s cluster into Morpheus we have to expose the K8s API. This poses security challenges for Clusters behind a FW, especially in Multi Tenant Setups. It would be better if a Morpheus Agent either on the nodes or on a separate server like the Distributed worker could be used to act as an intermediate. This could make use of the same Morpheus Command Bus, which allows to start a connection from within a sensitive environment (I.e. Pull) instead of an external entity having to push commands into the sensitive environment.

Example/Use case(s):
Kubernetes Cluster behind FW or on sensitive Network.

Current Flow:
Morpheus → Exposed K8s API (push)

Better flow
Morpheus agent → polls Morpheus central for new commands to execute (pull)

cbunge · March 11, 2024, 12:53pm

Hi @marcel.rummens

This is already in the product. If you edit a cluster you have this option:

This was added in v6.3.2 and will be merged into the LTS this month on 7.0.0

Additionally, agent comms going over the distributed worker has existed, but the appliance URL on the cloud needs to point to the worker. Depending on your version of worker, you may need to upgrade it.

I’m going to set this to auto-close end of week if that fulfills this request.

marcel.rummens · March 11, 2024, 1:10pm

Ohh I have missed that, thanks!

Can you run an agent on CoreOS (OpenShift)? The OS is not exactly standard.

Can you point me anywhere to setup the Worker? My last info was that it was not supported for HyperV, so I didn’t look into it closer.

cbunge · March 11, 2024, 1:17pm

Agent comms should work regardless of the cloud. However, I don’t see SCVMM on the cloud sync options (and I don’t have an environment at the moment to test).

That said, SCVMM may now work since it relies on the agent and agent comms can work over the distributed worker now.

Here’s the doc:

https://docs.morpheusdata.com/en/latest/administration/integrations/workers.html

or I utilize the helm chart:

marcel.rummens · March 11, 2024, 3:50pm

Sorry for the maybe stupid question but I didn’t fully get it. As I see it we have two options:

Option 1
We would deploy the K8s/OpenShift Cluster (probably by creating a Prov Flow and extending the Kubernetes Cluster Type). Then after the Cluster is up we install the Distributed Worker as a Container on it. But how do I tell the Agent that it’s supposed to proxy a connection from Cluster X, if all I have is the Morpheus API Key?

Option 2
We pre-deploy the Distributed Worker and create a new Cloud (SCVMM in our Case), linking them both together. Then using this Cloud we create the K8s Cluster (same logic as above). Then we provide Morpheus the internal IP/DNS Record of the Cluster (i.e. one that is not exposed to Morpheus Core) and then Morpheus will proxy through the Agent?

I will upgrade an instance to 6.3.4 to test all of this.

cbunge · March 16, 2024, 12:00pm

This topic was automatically closed after 4 days. New replies are no longer allowed.

Topic		Replies	Views
Morpheus add external Kubernetes Cluster Infrastructure k8s , kubernetes	4	258	January 11, 2024
Morpheus on K8s/Docker Ideas k8s , open	4	352	November 4, 2022
Morpheus integration with F5 LB Infrastructure load-balancers	3	263	July 26, 2022
Morpheus VDI Gateway and Distributed Worker as Container Infrastructure vdi , docker , k8s , worker	0	262	April 19, 2022
Using External VMs behind a Kubernetes Ingress Infrastructure automation , k8s	0	284	May 4, 2022

Kubernetes Morpheus Agent for Clusters behind FW

Related Topics