Need to debug an application running within a Kubernetes cluster? Port forwarding is a way to connect to Pods that are not publicly accessible. You can use this technique to inspect databases, monitoring tools, and other applications that you want to publish internally without a public path.
Shipping port is Built in Kubectl. The CLI can initiate tunneling sessions that redirect traffic on local ports to Pods in your Kubernetes cluster. Here’s how to set it up.
How does port forwarding work
Port forwarding is a type of Network Address Translation (NAT) rule that directs traffic from one network to another. In the context of Kubernetes, requests that appear to be terminated by
localhost to your group’s intranet.
Port forwarding works at the port level only. You direct a specific port like
33060 to a target port like
3306 in the destination network. When you send traffic to your local port
33060it will be automatically redirected to the port
3306 at the far end.
This technology allows you to access private Kubernetes workloads that are not detected by a file NodePort, loginor LoadBalancer. You can route local traffic directly to your cluster, eliminating the need to create Kubernetes services for your internal workloads. This helps reduce your attack surface.
Publish a sample application
Let’s now see Kubernetes port forwarding in action. Start by creating a basic deployment that you will connect to using port forwarding in the next section.
We use the MySQL database pod as a real-world example of when you might need to use this technique. Databases are not usually public, so Kubernetes administrators often use port forwarding to open a direct connection.
Create a YAML file for your post:
apiVersion: apps/v1 kind: Deployment metadata: name: mysql spec: selector: matchLabels: app: mysql template: metadata: labels: app: mysql spec: containers: - image: mysql:8.0 name: mysql env: - name: MYSQL_ROOT_PASSWORD value: mysql
Make sure to change the value of a file
MYSQL_ROOT_PASSWORD environment variable before using this statement in production. Being
kubectl apply To create your own MySQL deployment:
$ kubectl apply -f mysql.yaml deployment.apps/mysql created
Next, use a file
get pods A command to verify that the workload has started successfully:
$ kubectl get pods NAME READY STATUS RESTARTS AGE mysql-5f54dd5789-t5fzc 1/1 Running 0 2s
Using Kubectl in Port Forward to Kubernetes
Even though MySQL is now running in your cluster, you have no way to access it from outside. Next, set up a port forwarding session so you can use local installs of tools like
mysql CLI to connect to your database.
Here’s a simple example:
$ kubectl port-forward deployment/mysql 33060:3306 Forwarding from 127.0.0.1:33060 -> 3306 Forwarding from [::1]:33060 -> 3306
Connections to port 33060 will be routed to port 3306 against the Pod that is running MySQL deployment. You can now start a MySQL shell session targeting your Kubernetes database:
$ mysql --host 127.0.0.1 --port 33060 -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 10 Server version: 8.0.29 MySQL Community Server - GPL
Keep the shell window that is running a file
kubectl port-forward The command is open for the duration of the debug session. Port forwarding will be terminated when you press Ctrl + C or close the window.
Change local and remote port numbers
The syntax for port number links is
33060:3306 The example shown above maps port 33060 on
localhost to me
3306 in the target pod.
Specifying just one number, without colons, will interpret it as the local and remote port:
$ kubectl port-forward deployment/mysql 3306
You can leave the local port blank instead to set a random port automatically:
$ kubectl port-forward deployment/mysql :3306 Forwarding from 127.0.0.1:34923 -> 3306 Forwarding from [::1]:34923 -> 3306
Here you can use the randomly generated port number
34923 With your local MySQL client.
Change the listening address
Kubectl connects to the local port on
127.0.0.1 (IPv4) and
::1 (IPv6) by default. You can specify your own set of IP addresses instead by providing a file
--address Flag when playing a file
# Listen on two IPv4 addresses $ kubectl port-forward deployment/mysql :3306 --address 127.0.0.1,192.168.0.1
The tag only accepts IP addresses and
localhost keyword. The latter is interpreted to include
127.0.0.1 And the
::1matching the default settings of the command when
--address has been deleted.
Port forwarding is a useful technique for accessing private applications within the Kubernetes cluster. Kubectl transfers traffic from your local network to a specific port on a specific Pod. It is a relatively low-level mechanism that can handle any TCP connection. UDP port forwarding Not yet supported.
Using a custom port forwarding session is a safe way to debug workloads that don’t need to be exposed externally. Creating a service for each new deployment can allow hackers and attackers to discover which endpoints are meant to be protected. Port forwarding in Kubectl allows you to securely connect directly to your applications, without having to know which nodes they are running on.