Questions about WARP Client, kubectl, cloudflared tunnels in tcp proxy mode, etc

There’s a recent-ish blog post about using Cloudflare to access K8S clusters via kubectl

There are several aspects in this blog that aren’t well explained. Additionally there’s a prior blog post about the support for kubectl added to cloudflared tunnels – https://blog.cloudflare.com/releasing-kubectl-support-in-access/ – which is a useful background.

I finally got a tunneled kubectl connection working – but in the was described by the early blog post, not this newer post on WARP. My current most important question is about accessing multiple clusters across multiple networks or VPCs.

  • How does the solution presented here connect to the K8S API? There’s no details given about how the local kubectl config looks, e.g. the URL of the API server, and there’s no example kubectl commands given.
  • Is the 198.51.100.101 address in this blog post the K8S API endpoint?
    • Since that’s a public IP address, does this mean that the K8S API is listening on a public IP address?
  • Since I have my cluster in GKE with public IP address for the control plane disabled, how do I specify the route to the API? This is not clear from this blog post or the Cloudflare docs on this topic.
  • What does the config.yaml for this tunnel end up looking like?
  • Why does this require both a tunnel and the WARP client? When I’ve used cloudflared tunnels before, they don’t need the WARP client. Or is this so the tunnel routes requests to the API? There’s something missing here from my understanding that isn’t clearly addressed in this blog post.
  • How did you install the tunnels as pods without the tunnel running? Seems like a chicken and egg situation here. i.e. how would kubectl apply -f tunnels.yaml even work before the tunnel is running?
  • How does one route to different clusters in different networks? Especially in the situation where the cluster API server uses the same IP address in each network.
    • e.g. I have a clusters running in GKE VPCs in Project “fred” and GKE in Project “wilma”. There is no network connectivity between these VPCs/Projects but the IP address for the API server on the control plane is 172.16.0.2 for both clusters.
    • How would I configure WARP and the associated apps to account for this?