Skip to content
Proxies HTTP requests into a Kubernetes cluster for easier debugging
Go Dockerfile Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Kube Web Proxy

This is a hack to make it easy to connect to HTTP debug interfaces inside your Kubernetes cluster. You go to the proxy, and it shows you a list of pods/services in the cluster. You click the port you want, and it connects you. This makes it easy to access internal debugging interfaces. For example, you can access the Go pprof web UI to collect profiling information. This is a bit like the port-forwarding part of Octant, but runs in your cluster so it doesn't require installing anything, and it is very, very ugly.


Since this is a potential security hole, Kube Web Proxy requires requests to have been authenticated with the Google Cloud Identity-Aware Proxy (IAP). Getting this set up is a bit of a pain. My advice is:

  1. Set up the Ingress, without IAP turned on. The /health endpoint should work, but the other paths will return forbidden errors.
  2. Enable IAP for the Ingress, which may require some fiddling.


The proxy has to rewrite paths, in order to add /namespace/service/port to the URL path. I have only used a few tiny web applications, so I'm certainly missing some rewrites that are required. Cookies will be shared between all services (TODO: rewrite the header to scope them to paths). This also means JavaScript that embeds paths will probably break. The solution is probably to rewrite the application to use relative paths. A better solution would be to use a wildcard domain, but that is not supported by Google's managed TLS certificates.

Useful Documentation

Set up / using

  1. Build the container image and publish it.
  2. Configure IAP for your GKE cluster:
  3. Edit kubewebproxy-service.yaml and set Image and --iapAudience to the correct values for your cluster.
  4. kubectl apply -f kubewebproxy-service.yaml to configure the ingress, service, deployment, service account, GKE managed certificates, IAP, etc. This is unlikely to work without some edits.
  5. Access the ingress in your web browser.

Kubernetes Service Account

This service the view ClusterRole to read service metadata from the Kubernetes API. I followed the in-cluster configuration example to grant it a service account with permission to view everything:

Run Locally

docker build . --tag=kubewebproxy docker run --rm -ti --publish= kubewebproxy

Open http://localhost:8080/

Building with Google Cloud Build

~/google-cloud-sdk/bin/gcloud builds submit . --project=gosignin-demo --substitutions=_LABEL=debug1

You can’t perform that action at this time.