coreweave/apiserver-network-proxy

coreweave/apiserver-network-proxy

Language: Go

License: Apache-2.0

Stars: 0

Forks: 0

Open issues: 0

Created: 2024-12-11T14:57:17Z

Pushed: 2026-05-22T19:20:50Z

Default branch: master

Fork: yes

Parent repository: kubernetes-sigs/apiserver-network-proxy

Archived: no

README:

apiserver-network-proxy

Created due to https://github.com/kubernetes/org/issues/715.

See the KEP proposal for architecture and details.

Community, discussion, contribution, and support

Learn how to engage with the Kubernetes community on the community page.

You can reach the maintainers of this project at:

• Slack channel
• Mailing list

Code of conduct

Participation in the Kubernetes community is governed by the [Kubernetes Code of Conduct](code-of-conduct.md).

Versioning and releases

As of the 0.28.0 release, the apiserver-network-proxy project is changing its versioning and release process. Going forward the project will adhere to these rules:

• This project follows semantic versioning (eg x.y.z) for releases and tags.
• Tags indicate readiness for a release, and project maintainers will create corresponding releases.
• Releases and tags align with the Kubernetes minor release versions (the y in x.y.z). For instance,

if Kubernetes releases version 1.99.0, the corresponding release and tag for apiserver-network-proxy will be 0.99.0.

• Branches will be created when the minor release version (the y in x.y.z) is increased, and follow the

pattern of release-x.y. For instance, if version 0.99.0 has been released, the corresponding branch will be named release-0.99.

• Patch level versions for releases and tags will be updated when patches are applied to the specific release

branch. For example, if patches must be applied to the release-0.99 branch and a new release is created, the version will be 0.99.1. In this manner the patch level version number (the z in x.y.z) may not match the Kubernetes patch level.

For Kubernetes version 1.28.0+, we recommend using the tag that corresponds to the same minor version number. For example, if you are working with Kubernetes version 1.99, please utilize the latest 0.99 tag and refer to the release-0.99 branch. It is important to note that there may be disparities in the patch level between apiserver-network-proxy and Kubernetes.

For Kubernetes version ` (:8090) proxy (:8091) http-test-server(:8000) | ^ | Tunnel | +---------------------------------------------------------------+

- Start Simple test HTTP Server (Sample destination)

./bin/http-test-server

- Start proxy service

./bin/proxy-server --server-ca-cert=certs/frontend/issued/ca.crt --server-cert=certs/frontend/issued/proxy-frontend.crt --server-key=certs/frontend/private/proxy-frontend.key --cluster-ca-cert=certs/agent/issued/ca.crt --cluster-cert=certs/agent/issued/proxy-frontend.crt --cluster-key=certs/agent/private/proxy-frontend.key

- Start agent service

./bin/proxy-agent --ca-cert=certs/agent/issued/ca.crt --agent-cert=certs/agent/issued/proxy-agent.crt --agent-key=certs/agent/private/proxy-agent.key

- Run client (mTLS enabled sample client)

./bin/proxy-test-client --ca-cert=certs/frontend/issued/ca.crt --client-cert=certs/frontend/issued/proxy-client.crt --client-key=certs/frontend/private/proxy-client.key

### GRPC+UDS Client using Proxy with dial back Agent

Frontend client =HTTP over GRPC+UDS=> (/tmp/uds-proxy) proxy (:8091) SimpleHTTPServer(:8000) | ^ | Tunnel | +----------------------------------------------------------------------------+

- Start Simple test HTTP Server (Sample destination)

./bin/http-test-server

- Start proxy service

./bin/proxy-server --server-port=0 --uds-name=/tmp/uds-proxy --cluster-ca-cert=certs/agent/issued/ca.crt --cluster-cert=certs/agent/issued/proxy-frontend.crt --cluster-key=certs/agent/private/proxy-frontend.key

- Start agent service

./bin/proxy-agent --ca-cert=certs/agent/issued/ca.crt --agent-cert=certs/agent/issued/proxy-agent.crt --agent-key=certs/agent/private/proxy-agent.key

- Run client (mTLS enabled sample client)

./bin/proxy-test-client --proxy-port=0 --proxy-uds=/tmp/uds-proxy --proxy-host=""

### HTTP-Connect Client using mTLS Proxy with dial back Agent (Either curl OR test client)

Frontend client =HTTP-CONNECT=> (:8090) proxy (:8091) SimpleHTTPServer(:8000) | ^ | Tunnel | +-------------------------------------------------------------+

- Start SimpleHTTPServer (Sample destination)

./bin/http-test-server

- Start proxy service

./bin/proxy-server --mode=http-connect --server-ca-cert=certs/frontend/issued/ca.crt --server-cert=certs/frontend/issued/proxy-frontend.crt --server-key=certs/frontend/private/proxy-frontend.key --cluster-ca-cert=certs/agent/issued/ca.crt --cluster-cert=certs/agent/issued/proxy-frontend.crt --cluster-key=certs/agent/private/proxy-frontend.key

- Start agent service

./bin/proxy-agent --ca-cert=certs/agent/issued/ca.crt --agent-cert=certs/agent/issued/proxy-agent.crt --agent-key=certs/agent/private/proxy-agent.key

- Run client (mTLS & http-connect enabled sample client)

./bin/proxy-test-client --mode=http-connect --proxy-host=127.0.0.1 --ca-cert=certs/frontend/issued/ca.crt --client-cert=certs/frontend/issued/proxy-client.crt --client-key=certs/frontend/private/proxy-client.key

- Run curl client (curl using a mTLS http-connect proxy)

curl -v -p --proxy-key certs/frontend/private/proxy-client.key --proxy-cert certs/frontend/issued/proxy-client.crt --proxy-cacert certs/frontend/issued/ca.crt --proxy-cert-type PEM -x https://127.0.0.1:8090 http://localhost:8000/success

### Running on kubernetes
See following [README.md](examples/kubernetes/README.md)

### Running on a local kubernetes cluster with `kind`
See this [README.md](examples/kind/README.md) for an example that creates a local kubernetes cluster using` kind` and
deploys the proxy agent on a worker node and the proxy server on a control plane node.

See this [README.md](examples/kind-multinode/README.md) for a similar…