How to access a remote Kubernetes application using Kubectl Port Forwarding

Kubernetes logo graphic

Need to debug an application running within a Kubernetes cluster? Port forwarding is a way to connect to Pods that are not publicly accessible. You can use this technique to inspect databases, monitoring tools, and other applications that you want to publish internally without a public path.

Shipping port is Built in Kubectl. The CLI can initiate tunneling sessions that redirect traffic on local ports to Pods in your Kubernetes cluster. Here’s how to set it up.

How does port forwarding work

Port forwarding is a type of Network Address Translation (NAT) rule that directs traffic from one network to another. In the context of Kubernetes, requests that appear to be terminated by localhost to your group’s intranet.

Port forwarding works at the port level only. You direct a specific port like 33060 to a target port like 3306 in the destination network. When you send traffic to your local port 33060it will be automatically redirected to the port 3306 at the far end.

This technology allows you to access private Kubernetes workloads that are not detected by a file NodePort, loginor LoadBalancer. You can route local traffic directly to your cluster, eliminating the need to create Kubernetes services for your internal workloads. This helps reduce your attack surface.

Publish a sample application

Let’s now see Kubernetes port forwarding in action. Start by creating a basic deployment that you will connect to using port forwarding in the next section.

We use the MySQL database pod as a real-world example of when you might need to use this technique. Databases are not usually public, so Kubernetes administrators often use port forwarding to open a direct connection.

Create a YAML file for your post:

apiVersion: apps/v1
kind: Deployment
  name: mysql
      app: mysql
        app: mysql
      - image: mysql:8.0
        name: mysql
        - name: MYSQL_ROOT_PASSWORD
          value: mysql

Make sure to change the value of a file MYSQL_ROOT_PASSWORD environment variable before using this statement in production. Being kubectl apply To create your own MySQL deployment:

$ kubectl apply -f mysql.yaml
deployment.apps/mysql created

Next, use a file get pods A command to verify that the workload has started successfully:

$ kubectl get pods
NAME                     READY   STATUS    RESTARTS   AGE
mysql-5f54dd5789-t5fzc   1/1     Running   0          2s

Using Kubectl in Port Forward to Kubernetes

Even though MySQL is now running in your cluster, you have no way to access it from outside. Next, set up a port forwarding session so you can use local installs of tools like mysql CLI to connect to your database.

Here’s a simple example:

$ kubectl port-forward deployment/mysql 33060:3306
Forwarding from -> 3306
Forwarding from [::1]:33060 -> 3306

Connections to port 33060 will be routed to port 3306 against the Pod that is running MySQL deployment. You can now start a MySQL shell session targeting your Kubernetes database:

$ mysql --host --port 33060 -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 8.0.29 MySQL Community Server - GPL

Keep the shell window that is running a file kubectl port-forward The command is open for the duration of the debug session. Port forwarding will be terminated when you press Ctrl + C or close the window.

Change local and remote port numbers

The syntax for port number links is local:remote. The 33060:3306 The example shown above maps port 33060 on localhost to me 3306 in the target pod.

Specifying just one number, without colons, will interpret it as the local and remote port:

$ kubectl port-forward deployment/mysql 3306

You can leave the local port blank instead to set a random port automatically:

$ kubectl port-forward deployment/mysql :3306
Forwarding from -> 3306
Forwarding from [::1]:34923 -> 3306

Here you can use the randomly generated port number 34923 With your local MySQL client.

Change the listening address

Kubectl connects to the local port on (IPv4) and ::1 (IPv6) by default. You can specify your own set of IP addresses instead by providing a file --address Flag when playing a file port-forward ordering:

# Listen on two IPv4 addresses
$ kubectl port-forward deployment/mysql :3306 --address,

The tag only accepts IP addresses and localhost keyword. The latter is interpreted to include And the ::1matching the default settings of the command when --address has been deleted.


Port forwarding is a useful technique for accessing private applications within the Kubernetes cluster. Kubectl transfers traffic from your local network to a specific port on a specific Pod. It is a relatively low-level mechanism that can handle any TCP connection. UDP port forwarding Not yet supported.

Using a custom port forwarding session is a safe way to debug workloads that don’t need to be exposed externally. Creating a service for each new deployment can allow hackers and attackers to discover which endpoints are meant to be protected. Port forwarding in Kubectl allows you to securely connect directly to your applications, without having to know which nodes they are running on.

Source link

Related Posts