Skip to content

feat: k8s reverse tunnel proxy for remote API access#654

Merged
krystiancastai merged 17 commits intomainfrom
REP-1940-v2
Mar 10, 2026
Merged

feat: k8s reverse tunnel proxy for remote API access#654
krystiancastai merged 17 commits intomainfrom
REP-1940-v2

Conversation

@krystiancastai
Copy link
Contributor

@krystiancastai krystiancastai commented Mar 5, 2026

Description:
Enables CAST AI backend to query the Kubernetes API of connected clusters
without requiring direct network access. The kvisor controller establishes
an outbound gRPC connection to CAST AI and forwards incoming HTTP requests
to the local k8s API using a dedicated restricted ServiceAccount, streaming
responses back through the tunnel.

Key points:

  • Read-only access enforced (GET only, blocked exec/attach/portforward/proxy subresources)
  • Dedicated gRPC connection with keepalive, separate from the main castai client
  • Short-lived SA tokens via TokenRequest API instead of mounted credentials
  • Proxy RBAC resources provisioned automatically via Helm when enabled
  • Enabled by setting kube-proxy-enabled: "true" in controller.extraArgs

patrickpichler
patrickpichler reviewed Mar 5, 2026
View reviewed changes
patrickpichler
patrickpichler reviewed Mar 6, 2026
View reviewed changes
patrickpichler
patrickpichler reviewed Mar 6, 2026
View reviewed changes
patrickpichler
patrickpichler reviewed Mar 6, 2026
View reviewed changes
patrickpichler
patrickpichler reviewed Mar 6, 2026
View reviewed changes
ruckgy and others added 8 commits March 6, 2026 14:08
@ruckgy @krystiancastai
Adding RED metrics tracking (#650)
9a69001
@ruckgy @krystiancastai
[Release] Update Chart.yaml
f127d9a
@ruckgy @krystiancastai
chore: Fixing default database name (#652)
b32815b 
Change default database name from kvisor to metrics consistently

Co-authored-by: Gyorgy Ruck <gyorgy@cast.ai>
@ruckgy @krystiancastai
[Release] Update Chart.yaml
4a4bcb2
@0msokolowski0 @krystiancastai
feat(helm): support global.castai overrides (apiURL, grpcURL, cluster…
e652429 
…ID) for umbrella chart (#653)

Add support for global.castai.apiURL, global.castai.grpcURL, and
  global.castai.clusterID in helm templates, enabling the castai-umbrella
  chart to override kvisor's values centrally.
  - Extract kvisor.apiGrpcAddr and kvisor.apiURL helpers to deduplicate
    coalesce+dig logic across agent.yaml and controller.yaml
  - Modify kvisor.clusterIDEnv to resolve global.castai.clusterID inline,
    preserving existing validation against clusterIdConfigMapKeyRef/SecretKeyRef
  - Align kvisor.cloudProvider helper to use the same inline style
  - Priority order: global value > local value > default
  - Add 13 unit tests covering all fallback scenarios
@0msokolowski0 @krystiancastai
[Release] Update Chart.yaml
8079b19
@krystiancastai
fix linter
53e4234
@krystiancastai
fixes
8ce936c
patrickpichler
patrickpichler reviewed Mar 9, 2026
View reviewed changes
patrickpichler
patrickpichler reviewed Mar 9, 2026
View reviewed changes
@krystiancastai krystiancastai merged commit e36f31b into main Mar 10, 2026
5 of 6 checks passed
@krystiancastai krystiancastai deleted the REP-1940-v2 branch March 10, 2026 07:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patrickpichler patrickpichler patrickpichler approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@krystiancastai @patrickpichler @ruckgy @0msokolowski0