I’ve been fighting with my local Minikube environment behind a VPN for months now. I resigned to using a remote server that doesn’t use the VPN, but decided to revisit the local environment setup recently and finally figured it out!
What I Think The Problem Was
I’ve always used the Virtualbox driver for Minikube. It works fine behind a proxy by just setting the
NO_PROXY variables. I think what messes up a lot of people is they forget to add all the Minikube-related IPs to their
NO_PROXY variables. A cool thing about Kubernetes is it respects CIDR notation in your
NO_PROXY. I even wrote a script to set up all the proxy variables.
But for some reason, Virtualbox doesn’t like my VPN…
$ minikube delete
🔥 Deleting "minikube" in virtualbox ...
💀 Removed all traces of the "minikube" cluster.
$ . proxy.sh http://proxy.example.com:8080
$ minikube start --driver virtualbox
😄 minikube v1.23.2 on Darwin 11.6.1
✨ Using the virtualbox driver based on user configuration
👍 Starting control plane node minikube in cluster minikube
🔥 Creating virtualbox VM (CPUs=2, Memory=6000MB, Disk=20000MB) ...
🌐 Found network options:
❌ minikube is unable to connect to the VM: dial tcp 192.168.99.225:22: i/o timeout
This is likely due to one of two reasons:
- VPN or firewall interference
- virtualbox network configuration issue
- Disable your local VPN or firewall software
- Configure your local VPN or firewall to allow access to 192.168.99.225
- Restart or reinstall virtualbox
- Use an alternative --vm-driver
- Use --force to override this connectivity check
❌ Exiting due to GUEST_PROVISION: Failed to validate network: dial tcp 192.168.99.225:22: i/o timeout
│ 😿 If the above advice does not help, please let us know: │
│ 👉 https://github.com/kubernetes/minikube/issues/new/choose │
│ Please run `minikube logs --file=logs.txt` and attach logs.txt to the GitHub issue. │
After reading the Minikube VPN documentation, I suspected my VPN client was configured to not allow local traffic, but when I tried to configure it, I couldn’t find any option to do so. So after reading the Pulse Secure VPN client documentation, I also suspected my IT department doesn’t allow users to configure the client.
I tried the VMware driver with similar results. (The VMware driver seems to work now, and it works well, so maybe use that if you have VMware Fusion.) I broke up with Docker Desktop the first time because it didn’t respect
NO_PROXY, and then again after they changed their license, and after all that, I just don’t want to use the Docker driver. So finally I checked out the HyperKit driver and that’s what solved all my problems. All I know about HyperKit is that it’s a Mac hypervisor developed by the Moby project, and it works with my VPN, so let’s get things set up…
Install Minikube and HyperKit
Install Homebrew if you haven’t already. Once you have Homebrew set up, install Minikube and HyperKit.
brew install minikube hyperkit
Create a Minikube Instance
Make sure you set up your proxy variables if required. Use my script if you want. The following command sets up a Minikube instance with a default configuration using HyperKit, but there’s a ton of options you can change. See
minikube --help for those.
minikube start --driver hyperkit
There was an error about not being able to connect to k8s.gcr.io, but I just ignored it as it didn’t seem to affect the instance creation. Once the VM was created, I set up my Kubernetes/Docker clients. I wrote a script for that so you can just run
. minikube.sh --driver hyperkit to set everything up. When I tried to pull an image, I got another error:
Error response from daemon: Get "https://registry-1.docker.io/v2/": proxyconnect tcp: dial tcp: lookup proxy.example.com on 172.16.129.1:53: read udp 172.16.129.14:44065->172.16.129.1:53: read: connection refused
It took me a while to resolve this, but when a co-worker posted a DNS config he used to get Docker running behind the VPN, I was able to adopt his method to configure Minikube’s DNS to use my host’s DNS server. Maybe Minikube has an option that does this automagically?
minikube ssh sudo resolvectl dns eth0 192.168.0.53
minikube ssh sudo resolvectl domain eth0 example.com
And then I was rocking!
$ docker image pull timescale/timescaledb-postgis:2.3.0-pg13
2.3.0-pg13: Pulling from timescale/timescaledb-postgis
540db60ca938: Pull complete
a3cb73039552: Pull complete
39855706e49a: Pull complete
19d88c3ceadb: Downloading [===============================> ] 37.52MB/59.45MB
9ef572e3c9bb: Download complete
261ea2d28080: Download complete
1716633ec467: Download complete
051e02f33f5f: Download complete
79ceec13a19e: Download complete
f43ce1b5bcdc: Download complete
9e276ca2472d: Download complete
3e6c8f42f360: Download complete
c9bfa14dc9b6: Download complete
101a245191b9: Downloading [===================> ] 16.91MB/44.11MB
Hope that works out for you with your VPN, but if not, let me know in the comments.
UPDATE: Things Are Still Broken
I thought my troubles were over, but it seems VMware and HyperKit drivers want me to use `minikube mount` to mount my host files in the VM so bind mounts will work. Virtualbox driver seem to do that automagically. I ran into this issue which required specifying the network IP address of the VM.
minikube mount /Users/me:/Users/me –ip 172.16.129.1
Then I ran into an error when running pytest:
OSError: [Errno 526] Unknown error 526
I followed some advice in this issue and increased
msize to no avail.
minikube mount /Users/me:/Users/me –ip 172.16.129.1 –msize 524288
So now I’m back to just using a server without a VPN and Virtualbox. :*(