What is Port Forwarding in K8s?
Port forwarding in Kubernetes creates a direct tunnel between your local machine and a pod/service in your Kubernetes cluster. It enables:
- Local access to cluster services
- Development and debugging
- Secure access without exposing services externally
Basic Syntax:
kubectl port-forward resource-type/resource-name local-port:container-port
# Resource Types:
- pod/my-pod
- svc/my-service
- deployment/my-deployment
How does this port-forward mechanism actually work in K8s?
Let’s break the flow:
- Local Development Environment:
- The user executes a port-forward command on the local machine
- kubectl CLI processes the command
- Command format: kubectl port-forward pod/name 9095:8081
2. Authentication & Authorization:
- kubectl verifies credentials using kubeconfig
- Establishes a secure connection to the cluster
3. Kubernetes API Server:
- Validates the request
- Authorizes user access
- Routes request to the appropriate node
4. Node/Worker & kubelet:
- Node receives the forwarding request
- kubelet creates secure tunnel to pod
- Manages the connection lifecycle
5. Pod Network Space:
- Tunnel connects to specific pod
- Application/service receives traffic on port 8081
- Bi-directional communication established
This creates an end-to-end secure tunnel that allows:
- Local access through port 9095
- Direct communication with pod on port 8081
- Secure, encrypted traffic flow
- No external exposure to the service
Now we will see an example flow for port-forwarding network traffic flow concept:
Local Port (9095):
- Entry point on your local machine
- Where you send requests from your local environment
- Example: http://localhost:9095
Bi-directional Traffic:
- Creates secure tunnel between local and pod
- Requests flow from local → pod
- Responses flow from pod → local
- All traffic is encrypted and secure.
Pod Port (8081):
- Where your application listens in the pod
- An application running on 8081
- Handles incoming requests
- Sends responses back through the tunnel
Common Use Cases
1. Debugging/Testing Services or Applications Locally:
For the above example, the application can access the internet using a load balancer.
- Use Case of Port-Forwarding: Developers can use port forwarding to access the petclinic-service directly from their local machine on localhost:9095 without needing an external load balancer or exposing the service publicly.
- It is helpful in testing and verifying application behaviour.
Let’s run the kubectl port-forward command and see what happens:
kubectl port-forward svc/petclinic-service -n petclinic-dev 9095:8081
The command kubectl port-forward svc/petclinic-service -n petclinic-dev 9095:8081 forwards traffic from local port 9095 to the service’s port 8081.
Even in the local terminal also, we can test it:
We can access the application on the browser with localhost:
We can test the application pod also directly using port-forwarding:
kubectl port-forward pod/petclinic-app-79b9fd8bf5-8ftjv -n petclinic-dev 9090:8081
The command kubectl port-forward pod/petclinic-app-79b9fd8bf5-8ftjv -n petclinic-dev 9090:8081 forwards traffic from local port 9090 to port 8081 of the specific pod petclinic-app-79b9fd8bf5-8ftjv in the petclinic-dev namespace.
2. Database Connectivity for Local Development:
- Use Case: Connect to a database running in a Kubernetes cluster from a local development environment for queries or configuration.
- Example: Forward a local port to a database pod’s port.
We will do it for mysql-db now:
Use kubectl port-forward to Expose the MySQL Pod Locally
kubectl port-forward svc/mysql-service -n petclinic-dev :3306
Note:
You don’t explicitly specify the local port. Kubernetes will randomly choose an available port.
The : before 3306 means Kubernetes will dynamically assign a local port on your machine to forward traffic to port 3306 of the mysql-service in the petclinic-dev namespace.
In the above example k8s is assigned port 34159 randomly.
How to Connect to MySQL:
You can connect to the MySQL database on your cluster using the dynamically assigned port 34159.
In this way we can access database pod using port forwarding locally in a secure way.
port-forward –address Flag:
By default, port forwarding binds only to 127.0.0.1 (localhost). The –address flag allows you to specify which network interfaces the forwarding should listen on.
Use Case: Exposes a pod’s application for testing or sharing with others on the same network.
Usage:
kubectl port-forward --address 0.0.0.0 pod/pod-name local-port:pod-port
Example:
kubectl port-forward svc/petclinic-service -n petclinic-dev --address 0.0.0.0 9099:8081
In This Command:
- –address 0.0.0.0 makes the port accessible on all network interfaces, enabling external devices to connect using your machine’s IP address.
When to Use –address 0.0.0.0:
- Default Behavior: Without this flag, the forwarding is accessible only from localhost (your machine).
Use Case:
- If you need to provide external access to the application, such as for testing by teammates or on other devices, use –address 0.0.0.0.
Security Group or Firewall Configuration:
For the above example, If you’re running this command on a cloud instance, ensure the security group or firewall allows inbound traffic to port 9099.
Testing Access:
Now I can access the application using that server IP Address with port 9099:
Note:
By binding to 0.0.0.0, any device that can reach your machine (based on your network and firewall rules) can connect to the forwarded port.
Best Practices:
- Use this only in trusted networks.
- Restrict access by configuring firewalls or security groups.
Conclusion:
Port forwarding in Kubernetes (kubectl port-forward) is a crucial development tool that creates a secure tunnel between your local machine and cluster resources. It’s like having a private, encrypted pathway to your services without exposing them to the Internet.
Key Takeaways:
- Simple Syntax: kubectl port-forward <resource> <local-port>:<target-port>
- Secure Access: Direct, encrypted connection to pods and services
- Development Friendly: Test and debug without cluster modifications
- Versatile Use: Works with any service — web apps, databases, APIs
Remember: While port forwarding is perfect for development and debugging, it’s not intended for production use.
Your Thoughts Matter!
I’d love to hear what you think about this article — feel free to share your opinions in the comments below (or above, depending on your device!). If you found this helpful or enjoyable, a clap, a comment, or even a highlight of your favorite sections would mean a lot.
For more insights into the world of technology and data, visit subbutechops.com. There’s plenty of exciting content waiting for you to explore!
Thank you for reading, and happy learning! 🚀
great work nice explanation given ..