Container dial open***

Application scenario:
In the production environment, there are two hosts in the edge room, and the two hosts form a k3s cluster. Due to business requirements, some data needs to be uploaded to the data center for storage. For data transmission security, we choose to use the VPN encryption tunnel transmission. The traditional method is that both hosts dial an VPN link and configure the route back to the data center on the host, so that the application in the pod can use the host's VPN to transmit data. But this solution is not universal, because the account data of the VPN will increase with the increase of the host, resulting in a lot of maintenance workload. The best solution is to encapsulate it into an image and deploy it to the k3s cluster in the same way as the business program.
Implementation method:
use docker to package open*** mirrors and business programs that transmit data to be individually packaged into mirrors. When deploying on k3s, deploy deployment in a multi-container manner. Since the network space of all containers in the pod is shared, the service container can also use this open VPN link after the open VPN mirror dial-up is successful.
It should be noted that:
for versatility, the account password of open*** is mounted via k3s using the configuration method. In addition, the open*** container needs to add NET_ADMIN permission when running, and at the same time mount the host file /dev/net/tun to the container's /dev/net/tun path. Otherwise, it will not be able to dial successfully.