blob: 54ad5dbb1888be0de6da312b1332fd69a4c9cefa [file] [log] [blame] [edit]
// Package revportforward establishes a reverse port-forward from a kubernetes
// pod to localhost.
// Setting up a port-forward from a kubernetes pod is simple:
// $ kubectl port-forward mypod 8888:5000
// The above will setup a port-forward, i.e. it will listen on port 8888
// locally, forwarding the traffic to 5000 in the pod named "mypod".
// What is more involved is setting up a port-forward in the reverse direction,
// which this code does.
// Note that for this to work, netcat (nc) must be installed in the pod.
// The code works by running netcat (nc) in the pod in listen mode and then
// connects the exec streams to local target address.
// This also support having ncrev installed on the pod, a safer version of nc in
// that it checks that there are no other listeners on the given port before
// starting.
package revportforward
import (
v1 ""
// ReversePortForward creates reverse port-forwards to pods running in a
// kubernetes cluster.
type ReversePortForward struct {
config *rest.Config
localaddress string
useNcRev bool
// New returns a new RevPortForward instance.
// kubeconfig - The contents of the kubeconfig file.
// podName - The name of the pod found in the cluster pointed to by the kubeconfig file.
// podPort - The port to forward from within the pod.
// localaddress - The address we want the incoming connection to be forwarded
// to, something like "localhost:22"
func New(kubeconfig []byte, localaddress string, useNcRev bool) (*ReversePortForward, error) {
var kubeConfigGetter clientcmd.KubeconfigGetter = func() (*api.Config, error) {
return clientcmd.Load(kubeconfig)
config, err := clientcmd.BuildConfigFromKubeconfigGetter("", kubeConfigGetter)
if err != nil {
return nil, skerr.Wrapf(err, "Failed to initialize from kubeconfig: %s", string(kubeconfig))
return &ReversePortForward{
config: config,
localaddress: localaddress,
useNcRev: useNcRev,
}, nil
// Start a reverse port-forward. This function does not return as long as an
// active connection exists.
// Note that as connections are made and then closed this function may return,
// so it should be called from within a loop, e.g.:
// for {
// if err := rpf.Start(ctx); err != nil {
// sklog.Error(err)
// }
// }
func (r *ReversePortForward) Start(ctx context.Context, podName string, podPort int) error {
// First start a connection to the localaddress.
var d net.Dialer
// If the Context is cancelled then this connection should close, which
// should cause exec.Stream() below to exit, in theory, but it probably
// won't:
conn, err := d.DialContext(ctx, "tcp", r.localaddress)
if err != nil {
return skerr.Wrapf(err, "Failed to connect to localaddress: %s", r.localaddress)
// Then execute netcat (nc) on the pod.
clientset, err := kubernetes.NewForConfig(r.config)
if err != nil {
cmd := []string{
fmt.Sprintf("nc -vv -l -p %d", podPort),
if r.useNcRev {
hostname, _ := os.Hostname() // If hostname errs then use the empty string.
cmd = []string{
fmt.Sprintf("ncrev --port=:%d --machine=%s", podPort, hostname),
req := clientset.CoreV1().RESTClient().Post().Resource("pods").Name(podName).Namespace("default").SubResource("exec")
option := &v1.PodExecOptions{
Command: cmd,
Stdin: true,
Stdout: true,
Stderr: false,
TTY: false,
exec, err := remotecommand.NewSPDYExecutor(r.config, "POST", req.URL())
if err != nil {
return skerr.Wrapf(err, "Failed to run netcat on the pod: %q", podName)
// exec.Stream will not return until the connection is broken.
err = exec.Stream(remotecommand.StreamOptions{
Stdin: conn,
Stdout: conn,
if err != nil {
return skerr.Wrapf(err, "Stream connection failed.")
return nil