How to Access a Remote Kubernetes Application With Kubectl Port Forwarding

4 days ago 17

Graphic with the Kubernetes logo

Need to debug an exertion moving wrong your Kubernetes cluster? Port forwarding is simply a mode to link to Pods that aren’t publically accessible. You tin usage this method to inspect databases, monitoring tools, and different applications which you privation to deploy internally without a nationalist route.

Port forwarding is built into Kubectl. The CLI tin commencement tunneling sessions that redirect postulation connected section ports to Pods successful your Kubernetes cluster. Here’s however to get it acceptable up.

How Port Forwarding Works

Port forwarding is simply a benignant of web code translation (NAT) regularisation that routes postulation from 1 web into another. In the discourse of Kubernetes, requests that look to beryllium terminated by localhost are redirected to your cluster’s interior network.

Port forwarding lone operates astatine the larboard level. You nonstop a circumstantial larboard similar 33060 to a people larboard specified arsenic 3306 successful the destination network. When you nonstop postulation to your section larboard 33060, it volition beryllium forwarded automatically to larboard 3306 astatine the distant end.

This method lets you entree backstage Kubernetes workloads that aren’t exposed by a NodePort, Ingress, oregon LoadBalancer. You tin nonstop section postulation consecutive into your cluster, removing the request to make Kubernetes services for your interior workloads. This helps to trim your onslaught surface.

Deploying a Sample Application

Let’s present spot Kubernetes larboard forwarding successful action. Begin by creating a basal deployment that you’ll link to utilizing larboard forwarding successful the adjacent section.

We’re utilizing a MySQL database Pod arsenic a realistic illustration of erstwhile you mightiness request to usage this technique. Databases aren’t usually exposed publically truthful Kubernetes admins often usage larboard forwarding to unfastened a nonstop connection.

Create a YAML record for your deployment:

apiVersion: apps/v1 kind: Deployment metadata: name: mysql spec: selector: matchLabels: app: mysql template: metadata: labels: app: mysql spec: containers: - image: mysql:8.0 name: mysql env: - name: MYSQL_ROOT_PASSWORD value: mysql

Make definite you alteration the worth of the MYSQL_ROOT_PASSWORD situation adaptable earlier utilizing this manifest successful production. Run kubectl use to make your MySQL deployment:

$ kubectl use -f mysql.yaml deployment.apps/mysql created

Next usage the get pods bid to cheque the workload’s started successfully:

$ kubectl get pods NAME READY STATUS RESTARTS AGE mysql-5f54dd5789-t5fzc 1/1 Running 0 2s

Using Kubectl to Port Forward to Kubernetes

Although MySQL’s present moving successful your cluster, you’ve got nary mode of accessing it from outside. Next acceptable up a larboard forwarding league truthful you tin usage your section installations of tools similar the mysql CLI to link to your database.

Here’s a elemental example:

$ kubectl port-forward deployment/mysql 33060:3306 Forwarding from -> 3306 Forwarding from [::1]:33060 -> 3306

Connections to larboard 33060 volition beryllium directed to larboard 3306 against the Pod moving your MySQL deployment. You tin present commencement a MySQL ammunition league that targets your database successful Kubernetes:

$ mysql --host --port 33060 -u basal -p Enter password: Welcome to the MySQL monitor. Commands extremity with ; oregon \g. Your MySQL transportation id is 10 Server version: 8.0.29 MySQL Community Server - GPL

Keep the ammunition model that’s moving the kubectl port-forward bid unfastened for the duration of your debugging session. Port forwarding volition beryllium terminated erstwhile you property Ctrl+C oregon adjacent the window.

Changing the Local and Remote Port Numbers

The syntax for the larboard fig bindings is local:remote. The 33060:3306 illustration shown supra maps larboard 33060 connected localhost to 3306 successful the people Pod.

Specifying lone 1 number, without a colon, volition construe it arsenic some the section and distant port:

$ kubectl port-forward deployment/mysql 3306

You whitethorn permission the section larboard blank alternatively to automatically delegate a random port:

$ kubectl port-forward deployment/mysql :3306 Forwarding from -> 3306 Forwarding from [::1]:34923 -> 3306

Here you’d usage the randomly generated larboard fig 34923 with your section MySQL client.

Changing the Listening Address

Kubectl binds the section larboard connected the (IPv4) and ::1 (IPv6) addresses by default. You tin specify your ain acceptable of IPs alternatively by supplying an --address emblem erstwhile you tally the port-forward command:

# Listen connected 2 IPv4 addresses $ kubectl port-forward deployment/mysql :3306 --address,

The emblem lone accepts IP addresses and the localhost keyword. The second is interpreted to see and ::1, matching the command’s defaults erstwhile --address is omitted.


Port forwarding is simply a utile method to entree backstage applications wrong your Kubernetes cluster. Kubectl tunnels postulation from your section web to a circumstantial larboard connected a peculiar Pod. It’s a comparatively low-level mechanics that tin grip immoderate TCP connection. UDP larboard forwarding is not yet supported.

Using an ad-hoc larboard forwarding league is simply a harmless mode to debug workloads that don’t request to beryllium exposed externally. Creating a work for each caller deployment could let intruders and attackers to observe endpoints that are meant to beryllium protected. Port forwarding successful Kubectl lets you securely link consecutive to your applications, without having to enactment retired which Nodes they’re moving on.

Read Entire Article