Kubernetes RBAC Port Forward
The kubectl CLI tool has a really nice feature that lets you port-forward a local
port to a remote port into a pod. For example, if you are running a Postgres server
or a web server, you usually cant reach it without exposing a nodeport or an
ingress. Sometime this is undesirable because you dont want to expose it out to
the world or you just need to access this port for debugging reasons.
The kubectl port-forward command allows you to port forward any arbitrary port
from a pod to your local machine.
Local machine (8080) <---> Kubernetes <--> web (8080)
After setting up the port forward, you can go to your web browser at http://localhost:8080
and it will send the request to the pod inside of the Kuberentes cluster.
Usage:
Usage:
kubectl port-forward POD [LOCAL_PORT:]REMOTE_PORT [...[LOCAL_PORT_N:]REMOTE_PORT_N] [options]
Listen on port 8888 locally, forwarding to 5000 in the pod
kubectl port-forward mypod 8888:5000
RBAC
To take this example even further, lets say that you want to give a person access to only port-forward. You will have to create an RBAC role that lets this person only do this:
The role:
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: my-namespace
name: allow-port-forward
rules:
- apiGroups: [""]
resources: ["pods", "pods/portforward"]
verbs: ["get", "list", "create"]
This sets up a role in the namespace my-namespace and allows this role to get,
list, and create on pods and pods/portforward. These are all of the
permissions needed to allow someone to port-forward. This person will be able
to list the pods in this namespace.
Then you bind this role to a user:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-port-forward
namespace: my-namespace
subjects:
- kind: User
name: bob
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: allow-port-forward
apiGroup: ""
This will give the user bob the rights to perform the above actions in the namespace my-namespace
Contact me if you have any questions about this or want to chat, happy to start a dialog or help out: blogs@managedkube.com {::nomarkdown}
Learn more about integrating Kubernetes apps
{:/nomarkdown}
Kubernetes | RBAC | Port | Forward | port-forward