This guide demonstrates how to automatically inject Gluetun as a sidecar container into deployments using a Kyverno cluster policy. Kyverno acts as an admission control, enforcing policies on kubernetes resources before they are admitted into the cluster.
Prerequisites
- A Kubernetes cluster (Amazon EKS was used in this example)
Steps
-
Install Kyverno
helm repo add kyverno https://kyverno.github.io/kyverno/ helm repo update helm install kyverno --namespace kyverno kyverno/kyverno --create-namespace
-
Create Gluetun Configuration Secret
Create a Kubernetes secret named
vpnin thedefaultnamespace to store Gluetun configuration details. Replace the placeholders with your actual values:kubectl create secret generic vpn -n default \ --from-literal=FIREWALL_OUTBOUND_SUBNETS='10.128.0.0/16,172.20.0.0/16' \ --from-literal=VPN_SERVICE_PROVIDER='your_vpn_service_provider' \ --from-literal=OPENVPN_USER='your_openvpn_username' \ --from-literal=OPENVPN_PASSWORD='your_openvpn_password'- The
FIREWALL_OUTBOUND_SUBNETSoption specifies comma-separated network CIDRs that should not be routed through the VPN.
- The
-
Create Kyverno ClusterPolicy
Apply the
kyverno-clusterpolicy.yamlfile containing the Kyverno policy definition. This policy will look for deployments with the annotationvpn/gluetun-inject: "true"and automatically inject the Gluetun sidecar container.kubectl apply -f kyverno-clusterpolicy.yaml
-
Test with Deployment Example
Deploy a test deployment with the
vpn/gluetun-inject: "true"annotation in thedeployment.yamlfile and apply it to the default namespace. Kyverno will automatically inject the Gluetun container during deployment.kubectl apply -f deployment.yaml -n default
This process automates Gluetun injection for deployments marked for the sidecar container, simplifying your configuration management and ensuring consistent VPN protection for your workloads.