ZPA Connector on Kubernetes

Private Access
,
#1

I just wanted to share this. As we know, ZPA connector is available as a Docker image. I just wanted to share that it is possible to deploy this in a Kubernetes cluster since Kubernetes natively supports orchestrating docker containers.

The official documentation at App Connector Deployment Guide for Docker | Zscaler lists 2 docker images - AMD64 and ARM64.

I deployed this successfully in a GKE cluster using the AMD64 image. To do you, you can deploy the zpa-connector as a Kubernetes Deployment workload. Here’s the deployment manifest that I used.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: zpa-connector
spec:
  selector:
    matchLabels:
      app: zpa-connector
  replicas: 3
  template:
    metadata:
      labels:
        app: zpa-connector
    spec:
      containers:
      - name: zpa-connector
        image: "zscaler/zpa-connector:latest.amd64"
        env:
        - name: ZPA_PROVISION_KEY
          value: "<replace with your ZPA provisioning key>"
        securityContext:
          capabilities:
            add: ["NET_ADMIN", "NET_BIND_SERVICE", "NET_RAW", "SYS_NICE", "SYS_BOOT", "SYS_TIME"]

It’s important you include securityContext.capabilities.add or the connector will fail to work properly. The capabilities listed there are taken right out of the help article in the URL above.

2 Likes
#3

Nice, thanks for the manifest!
Also a quick question: how do you guarantee your replicas run on different hosts?

#4

That’s the best part. I don’t have to. My design is such that I don’t have a central “transit reverse proxy” aka a giant zpa connector cluster. I install the zpa connector in the same kubernetes cluster as my apps. This way

  1. If the cluster dies, the zpa connector dies along with it. No impact to other zpa published apps on other connectors. Plus, cluster is down, so even if zpa is up, there’s no app to access.
  2. Kubernetes takes care to ensure my desired state = actual state. That’s the benefit of using Kubernetes as an orchestrator. At any one time, I am sure I will have 3 replicas of zpa connector running (or however many I so desire).
#5

Wow! I actually didn’t know it was available on Docker either, so this is awesome!

Edit: Doesn’t look like Docker is supported for zpagov yet. :frowning:

#6

It’s shouldn’t be difficult for zscaler to build a docker image using their zpa binaries. it’s a matter of adjusting their Dockerfile.