19

I couldn't find any information on wherever a connection creation between cluster's pod and locahost is encrypted when running "kubectl port-forward" command.

It seems like it uses "socat" library which supports encryption, but I'm not sure if kubernetes actually uses it.

Val
  • 381
  • 1
  • 3
  • 11

2 Answers2

11

As far as I know when you port-forward the port of choice to your machine kubectl connects to one of the masters of your cluster so yes, normally communication is encrypted. How your master communicate to the pod though is dependent on how you set up internal comms.

iomv
  • 2,409
  • 18
  • 28
  • 3
    I also did network sniffing with Wireshark and it did appear that traffic went through 443 port + packages didn't contain plain text which I tried to send via proxied traffic – Val Jun 01 '18 at 21:35
11

kubectl port-forward uses socat to make an encrypted TLS tunnel with port forwarding capabilities. The tunnel goes from you to the kube api-server to the pod so it may actually be 2 tunnels with the kube api-server acting as a pseudo router.

An example of where I've found it useful was that I was doing a quick PoC of a Jenkins Pipeline hosted on Azure Kubernetes Service and earlier in my Kubernetes studies I didn't know how to setup an Ingress, but I could reach the Server via port 80 unencrypted, but I knew my traffic could be snooped on. So I just did kubectl port-forward to temporarily login and securely to debug my POC. Also really helpful with RabbitMQ Cluster hosted on Kubernetes, you can go into the management webpage with kubectl port-forward and make sure that it's clustering the way you wanted it to.

Community
  • 1
  • 1
neoakris
  • 4,217
  • 1
  • 30
  • 32