Pod VPN to external Services

If one of your Kubernetes applications needs to communicate with a service behind a VPN, it is the simplest solution to add a VPN connection to your application.

We recommend taking advantage of how sidecar containers work in a Kubernetes Pod. Instead of installing a VPN stack inside your application, start a sidecar container in the same pod as the VPN stack.

All containers in the same pod share network namespace, meaning that if one container runs a VPN connection, will other containers in the same pod use the same VPN connection.

This has been tested with OpenVPN and Wireguard sidecar containers. No unique configuration was needed for these 2 tests.

Example of a wireguard sidecar configuration

containers:
  - name: wireguard
    image: ghcr.io/linuxserver/wireguard
    imagePullPolicy: IfNotPresent
    securityContext:
      privileged: true
      capabilities:
        add:
          - NET_ADMIN
          - SYS_MODULE
      allowPrivilegeEscalation: true
      readOnlyRootFilesystem: false
    volumeMounts:
      - mountPath: /config
        name: wireguard