New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use cases for kubectl port-forward #25113
Comments
cc @kubernetes/rh-cluster-infra |
This is essentially a debugging tool. If you need to connect to a port in your pod and you don't ever want to expose that port via a service or via ingress, you'll need to use port forwarding to get temporary access to that port. One good example is connecting to the JVM debugging port for remote debugging of Java processes. |
We should be able to achieve the same by @euank @sjpotter Actually found the PortForward is broken for rkt today, as the PID of the pod returned by rkt api service is not the PID1 of the pod, (it's changed to the pid of nspawn/kvm) so it does not hold the namespace now. |
Yes, supporting this for normal Linux containers should not be a problem. This, however, might be a problem for hypervisors and windows? AFAIK, hyper doesn't support this (@feiskyer, correct me if I am wrong). This is a "pod-level" feature that is not tied to a specific container, so it'd be good to figure out how and whether we are going to support it as part of the sandbox operation proposed in the doc. |
This would make for a much less friendly UX. Also, I know our users would be unhappy if we suggested that port forwarding was going away. |
This is a very common way to debug and diagnose both development and production features. I would love to have a more generalized framework for executing in-container helpers (injected static binaries that can evolve differently from the container runtime), especially to decouple them from the kubelet. |
s/features/applications/ |
@yujuhong Right, Hyper doesn't support port-forward.
@smarterclayton Could we achieve this by some wrapping on ExecInContainer? |
It's not that simple. You have to bind to local ports so you can accept connections from local clients, and then you need to get the data copied between the client and the pod. Right now we do client -> |
The ideal would be "client -> api server -> kubelet -> launch process in The "standard process" could be a process inside the VM or out, just as On Tue, May 3, 2016 at 9:35 PM, Andy Goldstein notifications@github.com
|
It can also be used as a means to run once-off deployment/migration/analytics type jobs against a service which should not generally be exposed (e.g. for security reasons). You might argue that it's better for these jobs to run on K8, not on a developer's machine, but I don't think that level of overhead is always warranted / desired, and it certainly can't replace interactive sessions (e.g. poking around in sql workbench). Those sorts of usecases might also fall under "debugging" in your book, and could also be solved with ssh portforwarding usually, but I don't think that means K8 shouldn't know how to do this. |
I think there are a few questions mixed in this discussion:
|
FYI: @smarterclayton is suggesting a runtime agnostic solution in #25113 (comment) |
+1 on @smarterclayton's solution at #25113 (comment) |
In practice we have all the tools to do that today. Maybe something we On Mon, May 9, 2016 at 2:14 PM, Dawn Chen notifications@github.com wrote:
|
Alright, so the plan is to drop this from the container runtime interface/api, and implement the function in kubelet. Thanks for the inputs! |
i assume we can only drop it when we validate that we can support the alternate route? for example, we can't move to container runtime until we have port fowarding using the alternate proposal? |
How do we handle traffic from "client -> listening process in container context" - does it still go through the apiserver? Or using Ingress somehow? Otherwise I don't see how we go from an external client to a pod. |
client -> apiserver -> listening process in container context On Tue, Jun 7, 2016 at 3:28 PM, Andy Goldstein notifications@github.com
|
@ncdc I don't think you can or should avoid the api server because that is the access control for this one time debugging task thingie. Did you have a different design in mind? |
No, I just wanted to make sure I understood the suggested design On Wednesday, June 8, 2016, Brandon Philips notifications@github.com
|
Yeah, the redirect would be from kubelet -> listening process, which would On Wed, Jun 8, 2016 at 7:41 AM, Andy Goldstein notifications@github.com
|
Cross-referencing comments: https://github.com/kubernetes/kubernetes/pull/25899/files#r66263302 |
@ncdc @dcbw, would any of you be willing to pick up this and try exploring the suggested solution in #25113 (comment)? Thanks in advance anyway. |
I can pick it up On Mon, Jul 11, 2016 at 2:30 PM, Yu-Ju Hong notifications@github.com
|
Thanks! |
cc @lukasredynk |
This is subsumed by #29579 |
As we are figuring out the next-version container runtime interface, I'd like to gather some feedback on existing features we support.
The description of kubectl port-forward is here.
What are the existing use cases? Is this feature mainly used for debugging?
/cc @kubernetes/sig-node
/cc @thockin @vishh
The text was updated successfully, but these errors were encountered: