DocsTelepresence2.0Outbound Sessions
Outbound Sessions
While preview URLs are a powerful feature, there are other options to use Telepresence for proxying traffic between your laptop and the cluster.
Prerequistes
It is assumed that you have the demo web app from the tutorial running in your cluster, but deployment names used below can be substituted for any other running deployment.
Proxying Outbound Traffic
Connecting to the cluster instead of running an intercept will allow you to access cluster deployments as if your laptop was another pod in the cluster. You will be able to access other Kubernetes services using <servicename>.<namespace>
, for example by curling a service from your terminal. A service running on your laptop will also be able to interact with other services on the cluster by name.
Connecting to the cluster starts the background daemon on your machine and installs the Traffic Manager pod into the cluster of your current kubectl
context. The Traffic Manager handles the service proxying.
Run
telepresence connect
, you will be prompted for your password to run the daemon.Run
telepresence status
to confirm that you are connected to your cluster and are proxying traffic to it.Now try to access your service by name with
curl verylargejavaservice.default:8080
. Telepresence will route the request to the cluster, as if your laptop is actually running in the cluster.Terminate the client with
telepresence quit
and try to access the service again, it will fail because traffic is no longer being proxied from your laptop.
Controlling Outbound Connectivity
By default, Telepresence will provide access to all Services found in all namespaces in the connected cluster. This might lead to problems if the user does not have access permissions to all namespaces via RBAC. The --mapped-namespaces <comma separated list of namespaces>
flag was added to give the user control over exactly which namespaces will be accessible.
When using this option, it is important to include all namespaces containing services to be accessed and also all namespaces that contain services that those intercepted services might use.
Using local-only intercepts
An intercept with the flag--local-only
can be used to control outbound connectivity to specific namespaces.
When developing services that have not yet been deployed to the cluster, it can be necessary to provide outbound connectivity to the namespace where the service is intended to be deployed so that it can access other services in that namespace without using qualified names.
The resources in the given namespace can now be accessed using unqualified names as long as the intercept is active. The intercept is deactivated just like any other intercept.
The unqualified name access is now removed provided that no other intercept is active and using the same namespace.