If you are connected to corporate VPN via Cisco’s AnyConnect client, you might have problem with starting Minikube.
1 2 3 4 5 6 7
The issue has been extensively discussed in this bug report. This pull request supposedly fixes the issue, in v0.19.0 release. However, I’m still occasionally seeing the issue. I have attempted different approaches but they have different degrees of convenience and success in different networks.
- Use OpenConnect for VPN access rather than Cisco’s AnyConnect client.
- Set port forwarding to forward port 8443 on 127.0.0.1 to port 8443 in the minikube VM.
In this post, we will look into each approach in more details.
OpenConnect is a CLI client alternative for Cisco’s AnyConnect VPN. Here’s how you setup OpenConnect on Mac OSX:
OpenConnect can be installed via homebrew:
brew update brew install openconnect
- Install the Mac OS X TUN/TAP driver
Connect. The only thing you should be prompted for is your VPN password.
sudo openconnect --user=<VPN username> <your vpn hostname>
- To disconnect, just Ctrl-C in the window where you started the VPN connection.
Port forwarding localhost:xxx -> minikube_IP:xxx
This approach is the more convenient and more reliable in my experience. All you need to do is to set up a list of port forwarding rules for minikube’s VirtualBox:
1 2 3 4
Then, you can set up a new Kubernetes context for working with VPN:
When working on VPN, you can set
kubectl to switch to the new context:
All Minikube URLs now must be accessed through
localhost in browser.
For example, the standard Kubernetes dashboard URL such as:
must now be accessed via
Similar applies to other services that are deployed to minikube, such as
jenkins shown above.
In addition, the
eval $(minikube docker-env) standard pattern to reuse minikube’s Docker deamon would not work anymore.
1 2 3 4 5 6 7 8 9 10 11 12
Instead, you have to adjust DOCKER_HOST accordingly and use
docker --tlsverify=false ....
1 2 3 4 5
Finally, when not working on VPN, you can set
kubectl to switch back to the old context:
This approach is the most simple but it also has less success than I hoped.
The idea of this approach is that AnyConnect VPN client likely routes
192.168.96.0/19 through its tunnel.
This may conflict with the default Minikube network of
Therefore, we use
minikube start --host-only-cidr 10.254.254.1/24 to instruct minikube to use a different, unused arbitrary network.
It is worth a try but it often does not work in my experience.