Score:0

Server

K8s Port Forwarding via kubectl and socat

dontspeak

7/17/24, 10:00 AM

My k8s pod is connecting to a certain https target. This target is not reachable from my local machine, so I wanted to use kubectl proxy + socat to make that target available on my local machine für local development.

The problem is that I even cant get socat working and Im very confused why.

First I check connection to target on my pod:

curl -v -k https://target/rest/
Trying 54.136.137.42:443...
* TCP_NODELAY set

[...]

{"message":"key header missing"}

This message is the default response from target when one dont provide authentication information, so everything is ok.

Now I use socat with local port 1234:

socat tcp-listen:1234,reuseaddr,fork tcp:target:443

But when I now try to curl the target, I just get a 404, just as the socat never was started. Should that work? Do I use socat wrongly? Does it has something to do with TLS?

HTTP:

curl -v -k http://localhost:1234/rest/
*   Trying ::1:1234...
* TCP_NODELAY set
* connect to ::1 port 1234 failed: Connection refused
*   Trying 127.0.0.1:1234...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 1234 (#0)
> GET /rest/ HTTP/1.1
> Host: localhost:1234
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Mon, 17 Jul 2023 07:49:05 GMT
< Content-Length: 19
< 404 page not found
* Connection #0 to host localhost left intact

HTTPS:

curl -v -k https://localhost:1234/rest/
*   Trying ::1:1234...
* TCP_NODELAY set
* connect to ::1 port 1234 failed: Connection refused
*   Trying 127.0.0.1:1234...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 1234 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=DE; ST=NRW; L=Munich; O=AG; CN=digital-int.app.intra.net
*  start date: Dec  2 08:20:52 2021 GMT
*  expire date: Dec  2 08:20:52 2023 GMT
*  issuer: C=DE; O=AG; CN=Corp-Issuing-CA01-G2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5997a85d52f0)
> GET /rest/ HTTP/2
> Host: localhost:1234
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 404
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< content-length: 19
< date: Mon, 17 Jul 2023 11:40:36 GMT
<
404 page not found
* Connection #0 to host localhost left intact

1 + 6

socat

AlexD

7/17/24, 10:05 AM

The last curl has `http://` instead of `https://`.

dontspeak

7/17/24, 10:19 AM

I tried it already before, basically its the same, a 404 is returned. `curl -v -k https://localhost:1234/rest/ * Trying ::1:1234... * TCP_NODELAY set [...] * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * Connection state changed (MAX_CONCURRENT_STREAMS == 250)! < HTTP/2 404 < content-type: text/plain; charset=utf-8 < x-content-type-options: nosniff < content-length: 19 < date: Mon, 17 Jul 2023 10:15:03 GMT < 404 page not found * Connection #0 to host localhost left intact`

AlexD

7/17/24, 10:23 AM

It shows connection to IPv6 `::1:1234` while your `socat` listens on IPv4 `127.0.0.1:1234`

dontspeak

7/17/24, 10:56 AM

thats also not the root cause, curl just tries ipv6 first, then ipv4, see above curl output

AlexD

7/17/24, 11:01 AM

The `curl` output you posted as a comment doesn't show a connection to `127.0.0.1`. Update your question with the proper output without random editing.

dontspeak

7/17/24, 11:39 AM

I removed parts because the output was way to long for a comment, I will update the question with the https curl

Score:0

Server

AlexD

7/17/24, 11:54 AM

It looks like socat is working as intended. You are getting 404 because the request sent to the target contains Host: localhost:1234. You need to modify your curl command as the following:

curl -v -k https://target/rest/ --connect-to target:443:127.0.0.1:1234

+ 3

dontspeak

7/17/24, 2:16 PM

Well this call works (thx so far) but tbh now I'm totally confused. My aim is to locally be able to call a service running under `https://target/rest`. `https://target/rest` is only accessible from the pod, and *not accessible* from my local laptop. So after having that service available on the pod at `localhost:1234`, on my laptop I wanted to start `kubectl port-forward podname 1234:5678` to finally be able to call the service on my laptop via `https://localhost:5678`. I hope I have explained that now well.

AlexD

7/17/24, 2:26 PM

You can override the hostname for `target` to `127.0.0.1` permanently in the `/etc/hosts`.

dontspeak

7/17/24, 2:30 PM

actually I got it working now by setting the host via -H. I can do the same accordingly in Postman or my http class in java code. The wrong "Host: localhost:1234" http header actually was the reason. Thank you so much!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: K8s Port Forwarding via kubectl and socat

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.