LinuxCommandLibrary

kubectl-proxy

Proxy local requests to Kubernetes API

TLDR

Run a proxy using the default settings on port 8001 and listen on localhost

$ kubectl proxy
copy

Proxy part of the Kubernetes API while serving static files from a local directory
$ kubectl proxy [[-w|--www]] [path/to/static_dir] [[-P|--www-prefix]] [/static_prefix/] --api-prefix [/api_subset/]
copy

Proxy the entire Kubernetes API under a custom prefix
$ kubectl proxy --api-prefix [/custom_prefix/]
copy

Serve the Kubernetes API on a specific port while also serving static content
$ kubectl proxy [[-p|--port]] [port] [[-w|--www]] [path/to/static_dir]
copy

Run a proxy on a random local port, printing the chosen port to stdout
$ kubectl proxy [[-p|--port]] 0
copy

Run the proxy on a Unix domain socket instead of a TCP port
$ kubectl proxy [[-u|--unix-socket]] [path/to/socket]
copy

Accept connections from remote hosts by listening on all interfaces (use caution when exposing the proxy publicly)
$ kubectl proxy --address 0.0.0.0 --accept-hosts '.*'
copy

Allow only selected API paths while rejecting sensitive endpoints
$ kubectl proxy --accept-paths '^/api/v1/namespaces/default/.*' --reject-paths '^/api/.*/pods/.*/exec'
copy

SYNOPSIS

kubectl proxy [--port=PORT] [--www=PATH] [--www-prefix=PREFIX] [--api-prefix=PREFIX] [--address=IP] [--accept-hosts=HOSTS] [--disable-filter] [--reject-forward-proxy] [--unix-socket=PATH]

PARAMETERS

--accept-hosts stringArray
    Allowed host headers (comma-separated); defaults to API servers and local networks

--address string
    IP address to listen on (default: 127.0.0.1)

--api-prefix string
    API server endpoint prefix (default: api/)

--disable-filter
    Disable request filtering and fixups

--port int32
    Port to serve on (default: 8001)

--reject-forward-proxy
    Reject requests from forward proxies (may break some features)

--unix-socket string
    Unix socket path to proxy via (file must exist)

--www string
    Directory for static files

--www-prefix string
    Static files path prefix (default: /static/)

DESCRIPTION

The kubectl proxy command starts a lightweight HTTP proxy server that acts as an intermediary between your local machine and the Kubernetes API server. It enables direct access to cluster resources via HTTP requests, forwarding them to the API server without needing full authentication setup on each request.

By default, it listens on localhost:8001 and exposes the API at /api/ and static content at /static/. This is useful for development, testing, or when integrating Kubernetes with tools that can't handle native client authentication. It supports tunneling to services, pods, and other resources using paths like /api/v1/namespaces/default/pods/<pod>:8080/proxy/.

The proxy performs request validation, rewriting paths, and basic load balancing across API server endpoints. It disables cross-site scripting protections for proxied content but filters hosts by default to prevent abuse. Ideal for quick API exploration via curl or browsers, but not recommended for production due to security risks like exposing the cluster API locally.

CAVEATS

Exposes API server locally; insecure for production. Limited to 200 concurrent requests. Filtering may block legitimate traffic. Does not support HTTPS natively.

EXAMPLES

Basic proxy: kubectl proxy
Custom port: kubectl proxy --port=8080
Access pod: curl http://localhost:8001/api/v1/namespaces/default/pods/<name>

USE CASES

Browser-based cluster exploration; scripting API calls; integrating with non-Kubernetes tools like jq or Postman.

HISTORY

Introduced in Kubernetes v1.0 (2014) as a core kubectl subcommand for simplified API access during early cluster development. Evolved with options for security and Unix sockets in later releases like v1.18+.

SEE ALSO

kubectl(1), kubectl port-forward(1), kubectl cluster-info(1)

Copied to clipboard