ZPA Connector on Kubernetes

I just wanted to share this. As we know, ZPA connector is available as a Docker image. I just wanted to share that it is possible to deploy this in a Kubernetes cluster since Kubernetes natively supports orchestrating docker containers.

The official documentation at App Connector Deployment Guide for Docker | Zscaler lists 2 docker images - AMD64 and ARM64.

I deployed this successfully in a GKE cluster using the AMD64 image. To do you, you can deploy the zpa-connector as a Kubernetes Deployment workload. Here’s the deployment manifest that I used.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: zpa-connector
spec:
  selector:
    matchLabels:
      app: zpa-connector
  replicas: 3
  template:
    metadata:
      labels:
        app: zpa-connector
    spec:
      containers:
      - name: zpa-connector
        image: "zscaler/zpa-connector:latest.amd64"
        env:
        - name: ZPA_PROVISION_KEY
          value: "<replace with your ZPA provisioning key>"
        securityContext:
          capabilities:
            add: ["NET_ADMIN", "NET_BIND_SERVICE", "NET_RAW", "SYS_NICE", "SYS_BOOT", "SYS_TIME"]

It’s important you include securityContext.capabilities.add or the connector will fail to work properly. The capabilities listed there are taken right out of the help article in the URL above.

2 Likes

Nice, thanks for the manifest!
Also a quick question: how do you guarantee your replicas run on different hosts?

That’s the best part. I don’t have to. My design is such that I don’t have a central “transit reverse proxy” aka a giant zpa connector cluster. I install the zpa connector in the same kubernetes cluster as my apps. This way

  1. If the cluster dies, the zpa connector dies along with it. No impact to other zpa published apps on other connectors. Plus, cluster is down, so even if zpa is up, there’s no app to access.
  2. Kubernetes takes care to ensure my desired state = actual state. That’s the benefit of using Kubernetes as an orchestrator. At any one time, I am sure I will have 3 replicas of zpa connector running (or however many I so desire).

Wow! I actually didn’t know it was available on Docker either, so this is awesome!

Edit: Doesn’t look like Docker is supported for zpagov yet. :frowning:

It’s shouldn’t be difficult for zscaler to build a docker image using their zpa binaries. it’s a matter of adjusting their Dockerfile.

Thanks for this; it should help with deploying zscaler in our platform.
Just wondering if you managed to figure out a way to pass the proxy value to the ZPA container.

and one more thing; did you face an issue with sending ZPA traffic through a proxy; seems like their official way of providing the proxy config is only for ZPA to connect to the their cloud and request updates; not for the actual traffic to go through the proxy; and the traffic doesnt even seem to obey the host proxy rules as well.

You are correct that you should not send all ZPA traffic through a proxy as it will impact performance, but sometimes it’s unavoidable.