DEV Community

Bryan Sazon
Bryan Sazon

Posted on • Edited on

kubectl port-forward External Services using TCP Proxy in Kubernetes

Synopsis

It is common that some of your Workloads connect to external services such as databases that run outside your Kubernetes Cluster. These external services are usually secured and deployed in a private subnet.

My team currently uses Google Kubernetes Engine and we use GCP Memorystore (Redis as a Service) for caching. For us to access Memorystore securely, we will have to provision a VM that will act as a bastion host but we found a better approach to deal with this.

Port-forwarding with TCP Proxy

All our services run in Kubernetes, and as much as possible we want to stick with the kubectl everything workflow when dealing with our services. All thanks to tecnativa/tcp-proxy, it makes TCP proxying really easy with Docker.

So basically, any external services that our Kubernetes Cluster can access can also be accessed locally by deploying this sucker.

WARNING: This can be a security flaw in your case, but not for us.

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app: redis-proxy
  name: redis-proxy
  namespace: default
spec:
  selector:
    matchLabels:
      app: redis-proxy
  template:
    metadata:
      labels:
        app: redis-proxy
    spec:
      containers:
      - image: tecnativa/tcp-proxy:latest
        imagePullPolicy: Always
        env:
          - name: LISTEN
            value: ":6379" # The listen address that it will be exposed to.
          - name: TALK
            value: "10.1.1.5:6379" # Private address of Memorystore.
        name: redis-proxy
        resources:
          requests:
            cpu: 10m
            memory: 10m
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      securityContext: {}

With the tcp-proxy deployed, we can now just port-forward the tcp-proxy Pod.

kubectl port-forward redis-proxy 6379:6379

And access Memorystore locally using redis-cli.

redis-cli -p 6379

Top comments (0)