Skip to main content
Skip table of contents

UI: Attach a Network-Restricted Cluster

Attach a Cluster

To attach a network-restricted cluster to your DKP landscape:

  1. From the top menu bar, select your target workspace.

  2. On the Dashboard page, select the Add Cluster option in the Actions dropdown menu at the top right.

  3. Select Attach Cluster.

  4. Select the Cluster has networking restrictions card to display the configuration page.

Configure the Attachment

Establish the configuration parameters for the attachment:

  1. Enter the Cluster Name of the cluster you’re attaching.

  2. Create additional new Labels as needed.

  3. Select the hostname that is the Ingress for the cluster from the Load Balancer Hostname dropdown menu. The hostname must match the Kommander Host cluster to which you are attaching your existing cluster with network restrictions.

  4. Specify the URL Path Prefix for your Load Balancer Hostname. This URL path will serve as the prefix for the specific tunnel services you want to expose on the Kommander management cluster. If no value is specified, the value defaults to /dkp/tunnel.

    (info) Kommander uses Traefik 2 ingress, which requires explicit definition of strip prefix middleware as a Kubernetes API object, opposed to a simple annotation. Kommander provides default middleware that supports creating tunnels only on the /dkp/tunnel URL prefix. This is indicated by using the extra annotation, kommander-stripprefixes-kubetunnel@kubernetescrd as shown in the code sample that follows. If you want to expose a tunnel on a different URL prefix, you must manage your own middleware configuration.

  5. Optional: Enter a value for the Hostname field.

  6. Provide a secret for your certificate in the Root CA Certificate drop-down menu.

    1. For environments where the Management cluster uses a publicly-signed CA (like ZeroSSL or Let’s Encrypt), select Use Publicly Trusted CA.

    2. If you manually created a secret in advance, select it from the drop-down menu.

    3. For all other cases, select Create a new secret. Then, execute the following command on the Management cluster to obtain the caBundle key:

      kubectl get kommandercluster -n kommander host-cluster -o go-template='{{ .status.ingress.caBundle }}'

      Copy and paste the output into the Root CA Certificate field.

  7. Add any Extra Annotations as needed.

Optional: Enable a Proxied Access

Activate a proxied access to enable kubectl access and dashboard observability for the network-restricted cluster from the Management cluster. For more information, see Proxied Access to Network-Restricted Clusters.

  1. Select Show Advanced.

  2. Add a Cluster Proxy Domain.

  • If you previously configured a domain wildcard for your cluster, a Cluster Proxy Domain is suggested automatically based on your cluster name. Replace the suggestion if you want to assign a different domain for the proxied cluster.

  • If you want to use the external-dns service, specify a Cluster Proxy Domain that is within the zones specified in the --domain-filter argument of the external-dns deployment manifest stored on the Management cluster.
    For example, if the filter is set to, a possible domain for the TUNNEL_PROXY_EXTERNAL_DOMAIN would be

  1. Establish a DNS record and certificate configuration for the Cluster Proxy Domain. You can choose between the default and a custom option:

DNS record creation

Certificate Management

Default settings

box checked ✔️

handled by external-dns

handled by kommander-ca

Custom settings
box unchecked 🔲

Manually create a DNS record. The record’s A/CNAME value must point to the Management cluster’s Traefik IP address, URL or domain.


Enable external-dns with an annotation that points to the Cluster Proxy Domain.

Select an existing TLS certificate.


Select an existing Issuer or ClusterIssuer.

  1. Select the Save & Generate kubeconfig button to generate a file required to finish attaching the cluster.

A new window appears with instructions on how to finalize attaching the cluster. See UI: Finish Attaching the Existing Cluster for further instrucions.

Next Step:

UI: Finish Attaching the Existing Cluster

Related Topic:

For information on the TunnelGateway review the API documentation (v1alpha1).

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.