I wanted to port forward 443 of a service to my local machine so that I could access it through my local browser. Since this service is only allowed through our kubernetes cluster NAT gateway IP (only the pods are able to access) this wasn’t directly possible.

However if I could spin up a pod to behave it as a jump host I would be able to port forward from the whitelisted service to my pod and then back to my local machine. This is fairly easy to do with something like socat.

Jump Pod

We can use the amazing nicolaka/netshoot image to troubleshoot networking stuff in k8s which comes with socat installed 😊 Here’s the deployment manifest for reference: (💡you can drop the affinity section all together as it was needed for my setup beacuse I wanted to pick specific nodes )

apiVersion: apps/v1
kind: Deployment
metadata:
  name: tmp-shell
  namespace: your-namespace
spec:
  replicas: 1
  selector:
    matchLabels:
      app: tmp-shell
  template:
    metadata:
      labels:
        app: tmp-shell
    spec:
      affinity:
          nodeAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
              nodeSelectorTerms:
              - matchExpressions:
                - key: topology.kubernetes.io/zone
                  operator: In
                  values:
                  - "us-east-1b"
                  - "us-east-1c"
      containers:
      - name: tmp-shell
        image: nicolaka/netshoot
        tty: true
        stdin: true
        command: ["/bin/bash"]

Port forward using Socat

Drop into the troubleshooting pod and forward traffic using socat:

kubectl exec -it tmp-shell-xxxxxxx bash
socat TCP4-LISTEN:8080,fork TCP4:YOUR.IP.ADDRESS:443

Now all we need to do is port forward from our pod to localhost 😊

kubectl port-forward tmp-shell-xxxxxxx 8081:8080

Now we can access through the browser by accessing http://localhost:8081

💡Make sure to change ports accordingly.