KEP-5695: kubectl reverse port-forward #5697
Conversation
Add reverse port-forwarding capability to kubectl, enabling pods to connect to services running on the developer's local machine. This addresses kubernetes/kubernetes#20227 which has been open since 2016 with significant community interest. Signed-off-by: Willian Paixao <[email protected]>
k8s-ci-robot
added
kind/kep
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: willianpaixao The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
needs-ok-to-test
|
Welcome @willianpaixao! |
|
Hi @willianpaixao. Thanks for your PR. I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
cncf-cla: no
k8s-ci-robot
added
the
size/XL
There was a problem hiding this comment.
Pull Request Overview
This PR introduces KEP-5695, which proposes adding reverse port-forwarding capability to kubectl port-forward. This feature would enable containers in Kubernetes pods to connect back to services running on a developer's local machine, similar to SSH's -R flag. This addresses a long-standing feature request from 2016 (issue #20227).
- Adds a new
--reverseflag tokubectl port-forwardfor reverse tunneling - Introduces protocol extensions to support bidirectional streaming between pods and local machines
- Includes comprehensive graduation criteria from alpha (v1.34) through GA (v1.36)
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| keps/sig-cli/5695-kubectl-reverse-port-forward/kep.yaml | Defines KEP metadata including feature gates (KubectlReversePortForward), milestones, and basic metrics configuration |
| keps/sig-cli/5695-kubectl-reverse-port-forward/README.md | Comprehensive KEP documentation covering motivation, design details, test plans, graduation criteria, and production readiness considerations |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| Metrics will expose: | ||
| - `kubectl_portforward_reverse_connections_total`: Counter of reverse port-forward connections | ||
| - `kubectl_portforward_reverse_active_connections`: Gauge of currently active connections |
There was a problem hiding this comment.
Inconsistent naming: the metric is called kubectl_portforward_reverse_active_connections in line 452 (Monitoring Requirements section), but this metric is not listed in the kep.yaml file (lines 44-46) where only kubectl_portforward_reverse_connections_total and kubectl_portforward_reverse_errors_total are defined. Either add this metric to kep.yaml or remove the reference here.
| - `kubectl_portforward_reverse_active_connections`: Gauge of currently active connections |
| - Metrics: | ||
| - `kubectl_portforward_reverse_connections_total` - labeled by status (success/failure) | ||
| - `kubectl_portforward_reverse_errors_total` - labeled by error type | ||
| - `kubectl_portforward_reverse_connection_duration_seconds` - histogram | ||
| - `kubelet_portforward_reverse_listeners_active` - gauge |
There was a problem hiding this comment.
Additional metrics are mentioned in the SLIs section (kubectl_portforward_reverse_connection_duration_seconds and kubelet_portforward_reverse_listeners_active) that are not listed in the kep.yaml metrics section (lines 44-46). All metrics that will be implemented should be documented in the kep.yaml file.
| **5. Implementation Components:** | ||
|
|
||
| - **Port Listener**: Create a TCP listener in the pod's network namespace | ||
| - Native Go implementation using netns library. |
There was a problem hiding this comment.
[nitpick] Spelling error: "netns library" should likely specify which library is being referred to. Consider clarifying this as "a Go network namespace library (such as vishvananda/netns)" or similar to be more explicit about the implementation approach.
| - Native Go implementation using netns library. | |
| - Native Go implementation using a Go network namespace library (such as [vishvananda/netns](https://github.com/vishvananda/netns)). |
| **Example:** | ||
| ```bash | ||
| # Run webhook locally | ||
| ./my-webhook --port 9443 | ||
|
|
||
| # Expose it to the API server pod | ||
| kubectl port-forward --reverse -n kube-system api-server-pod 9443:9443 | ||
|
|
||
| # Now the API server can call https://localhost:9443 for webhook validation | ||
| ``` |
There was a problem hiding this comment.
The API server pod example in this user story is not realistic. The API server does not run as a regular pod that can be accessed via kubectl port-forward in this manner. Consider using a more realistic example, such as a webhook server pod that needs to call a locally running service, or a sidecar proxy pod.
k8s-ci-robot
added
cncf-cla: yes
- Detail required unit tests and existing test infrastructure. - Update E2E test requirements. - Update Graduation Criteria to include enabling existing test stubs. - Update Implementation History with test infrastructure preparation. Signed-off-by: Willian Paixao <[email protected]>
Signed-off-by: Willian Paixao <[email protected]>
| 1. Establish a connection to the kubelet running the target pod | ||
| 2. Create a listener in the pod's network namespace on the specified remote port | ||
| 3. Forward incoming connections from that port back to kubectl | ||
| 4. kubectl will then forward these connections to the specified local port |
There was a problem hiding this comment.
have you checked how this work in detail?
I think that this is not simple as you describe here, specially since there are parts that are implemented in the runtime itself
| # In another terminal, expose it to the pod | ||
| kubectl port-forward --reverse mypod 8080:8080 | ||
|
|
||
| # Now the pod can access http://localhost:8080 which goes to my local machine |
There was a problem hiding this comment.
does it means that you go and connect to the pod and from the pod do a request to the server?
|
|
||
| **2. Kubelet Changes** (`pkg/kubelet/`): | ||
| - Extend PortForward API to support reverse mode | ||
| - Implement pod network namespace listener creation using `socat` or native Go listeners |
There was a problem hiding this comment.
we removed socat dependency, we should not bring it back
| - Establishes connections to local ports | ||
| - Forwards traffic bidirectionally | ||
|
|
||
| **2. Kubelet Changes** (`pkg/kubelet/`): |
There was a problem hiding this comment.
3 participants
What type of PR is this?
/kind kep
What this PR does / why we need it:
Adds KEP for reverse port-forwarding in kubectl, addressing long-standing issue kubernetes/kubernetes#20227.
Which issue(s) this PR fixes:
Fixes #5695
Addresses kubernetes/kubernetes#20227
Special notes for your reviewer:
This KEP proposes adding `--reverse` flag to `kubectl port-forward` to enable
reverse tunneling (pod → local machine), similar to SSH's `-R` flag.
This has been a requested feature since 2016 and received a PoC implementation
in 2017 (PR kubernetes/kubernetes#57320) that was deferred pending SPDY deprecation.
/sig cli
/sig node