Home Explore Blog CI



kubernetes
2nd chunk of `content/en/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md`
720f176b17c83a387e15c25a605e7b00cb12436aa9754c4c0000000100000805
  class ingress,service1,service2,pod1,pod2,pod3,pod4 k8s;
  class client plain;
  class cluster cluster;
{{</ mermaid >}}
Figure 1. SOCKS5 tutorial components

## Using ssh to create a SOCKS5 proxy

The following command starts a SOCKS5 proxy between your client machine and the remote SOCKS server:

```shell
# The SSH tunnel continues running in the foreground after you run this
ssh -D 1080 -q -N username@kubernetes-remote-server.example
```

The SOCKS5 proxy lets you connect to your cluster's API server based on the following configuration: 
* `-D 1080`: opens a SOCKS proxy on local port :1080.
* `-q`: quiet mode. Causes most warning and diagnostic messages to be suppressed.
* `-N`: Do not execute a remote command. Useful for just forwarding ports.
* `username@kubernetes-remote-server.example`: the remote SSH server behind which the Kubernetes cluster 
  is running (eg: a bastion host).

## Client configuration

To access the Kubernetes API server through the proxy you must instruct `kubectl` to send queries through
the `SOCKS` proxy we created earlier. Do this by either setting the appropriate environment variable, 
or via the `proxy-url` attribute in the kubeconfig file. Using an environment variable: 

```shell
export HTTPS_PROXY=socks5://localhost:1080
```

To always use this setting on a specific `kubectl` context, specify the `proxy-url` attribute in the relevant 
`cluster` entry within the `~/.kube/config` file. For example:

```yaml
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LRMEMMW2 # shortened for readability 
    server: https://<API_SERVER_IP_ADDRESS>:6443  # the "Kubernetes API" server, in other words the IP address of kubernetes-remote-server.example
    proxy-url: socks5://localhost:1080   # the "SSH SOCKS5 proxy" in the diagram above
  name: default
contexts:
- context:
    cluster: default
    user: default
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: default
  user:
    client-certificate-data: LS0tLS1CR== # shortened for readability
Title: Configuring SSH and Client for SOCKS5 Proxy Access
Summary
This section details the steps to create a SOCKS5 proxy using SSH, enabling access to a remote Kubernetes API server. The provided command initiates a SOCKS5 proxy, explaining the function of each flag used. It also outlines how to configure the `kubectl` client to utilize the created SOCKS proxy, either by setting the `HTTPS_PROXY` environment variable or by specifying the `proxy-url` attribute within the kubeconfig file. Example configurations are given for both methods, ensuring `kubectl` routes its queries through the SOCKS5 proxy.