Why Krust Needs VPN Access

Krust uses Apple Network Extension to make Kubernetes service DNS work locally in a stable, predictable way. The current implementation is built around a managed system DNS proxy and local routing support for cluster service traffic.

Short version: this permission is for local Kubernetes service DNS workflows such as *.svc.cluster.local. It is not used to route normal internet traffic through Krust.

Diagram showing Krust handling Kubernetes service DNS locally while leaving all other internet traffic untouched.

What this enables

Use real service hostnames like *.svc.cluster.local from your Mac
Avoid constant localhost port confusion across tools and sessions
Open the same service from browser, curl, Postman, and scripts
Keep separate mappings for the same hostname on different service ports

What Krust does not do

Does not route your general internet traffic
Does not inspect unrelated external traffic
Does not send DNS mappings or forwarded traffic to Krust servers

Scope

Krust only handles internal cluster DNS domains (for example, *.svc.cluster.local) used by DNS proxy and local service forwarding workflows. It does not rely on the older manual resolver-install flow; DNS state is managed directly by the app through the system DNS proxy path.

Privacy

Zero telemetry by default. Mappings and traffic stay on your machine. See Privacy Policy for full details.

Back to Port Forwarding Read Privacy Policy