Use a SOCKS5 Proxy to Access the Kubernetes API

    This page shows how to use a SOCKS5 proxy to access the API of a remote Kubernetes cluster. This is useful when the cluster you want to access does not expose its API directly on the public internet.

    You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using or you can use one of these Kubernetes playgrounds:

    Your Kubernetes server must be at or later than version v1.24. To check the version, enter kubectl version.

    You need SSH client software (the ssh tool), and an SSH service running on the remote server. You must be able to log in to the SSH service on the remote server.

    Task context

    Note: This example tunnels traffic using SSH, with the SSH client and server acting as a SOCKS proxy. You can instead use any other kind of SOCKS5 proxies.

    • You have a client computer, referred to as local in the steps ahead, from where you’re going to create requests to talk to the Kubernetes API.
    • The Kubernetes server/API is hosted on a remote server.
    • You will use SSH client and server software to create a secure SOCKS5 tunnel between the local and the remote server. The HTTPS traffic between the client and the Kubernetes API will flow over the SOCKS5 tunnel, which is itself tunnelled over SSH.

    graph LR; subgraph local[Local client machine] client([client])— local
    traffic .-> local_ssh[Local SSH
    SOCKS5 proxy]; end local_ssh[SSH
    SOCKS5
    proxy]— SSH Tunnel —>sshd subgraph remote[Remote server] sshd[SSH
    server]— local traffic —>service1; end client([client])-. proxied HTTPs traffic
    going through the proxy .->service1[Kubernetes API]; classDef plain fill:#ddd,stroke:#fff,stroke-width:4px,color:#000; classDef k8s fill:#326ce5,stroke:#fff,stroke-width:4px,color:#fff; classDef cluster fill:#fff,stroke:#bbb,stroke-width:2px,color:#326ce5; class ingress,service1,service2,pod1,pod2,pod3,pod4 k8s; class client plain; class cluster cluster;

    JavaScript must be to view this content

    Figure 1. SOCKS5 tutorial components

    The following command starts a SOCKS5 proxy between your client machine and the remote SOCKS server:

    The SOCKS5 proxy lets you connect to your cluster’s API server based on the following configuration:

    • -D 1080: opens a SOCKS proxy on local port :1080.
    • -q: quiet mode. Causes most warning and diagnostic messages to be suppressed.
    • -N: Do not execute a remote command. Useful for just forwarding ports.
    • username@kubernetes-remote-server.example: the remote SSH server behind which the Kubernetes cluster is running (eg: a bastion host).

    Client configuration

      To always use this setting on a specific kubectl context, specify the attribute in the relevant cluster entry within the ~/.kube/config file. For example:

      Once you have created the tunnel via the ssh command mentioned earlier, and defined either the environment variable or the proxy-url attribute, you can interact with your cluster through that proxy. For example:

      1. kubectl get pods

      Note:

      • Before kubectl 1.24, most kubectl commands worked when using a socks proxy, except kubectl exec.

      • kubectl supports both HTTPS_PROXY and https_proxy environment variables. These are used by other programs that support SOCKS, such as curl. Therefore in some cases it will be better to define the environment variable on the command line:

      • When using proxy-url, the proxy is used only for the relevant kubectl context, whereas the environment variable will affect all contexts.

      • The k8s API server hostname can be further protected from DNS leakage by using the socks5h protocol name instead of the more commonly known socks5 protocol shown above. In this case, kubectl will ask the proxy server (such as an ssh bastion) to resolve the k8s API server domain name, instead of resolving it on the system running kubectl. Note also that with socks5h, a k8s API server URL like https://localhost:6443/api does not refer to your local client computer. Instead, it refers to localhost as known on the proxy server (eg the ssh bastion).

      Type unset https_proxy in a terminal to stop forwarding http traffic through the proxy.

      Further reading