A reserve proxy for Kubernetes services
Python Shell
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.



What is Kube-Door?

Kube-door is a simple reserve proxy for Kubernetes services using HAProxy. It simply watches for services annotates with kube-door/ports and then generate appropriate HAproxy configuration.

The idea is similar to Marathon-lb from Mesos.

How to use this?

First you need to build the docker image

docker build . -t kube-door

Then run the docker image under net host. Additionally, you can mount the kubeconfig and relevant certs to kube-door so it can talk to Kubernetes.

docker run -d \
  -v ~/.kube:/kubeconfig \
  -e KUBECONFIG=/kubeconfig/config \
  --net=host \
  --name=kube-door kube-door

You will need to expose your service with annotations. You can annotate your service with kube-door/ports with the port you want to expose to Kube-door. For example, below is a command to expose port 80 from your_service.

kubectl annotate svc/your_service kube-door/ports=80

You can also annotate with hostname to expose your service via hostname

kubectl annotate svc/your_service kube-door/hostname=your_hostname.com

At the moment, it is required that you have to expose your service with type is NodePort or LoadBalancer so that the service can be access from

Why don't you use Ingress or expose your service with LoadBalancer?

If your kuberentes cluster has cloud configuration, then it's best to just use service type LoadBalancer. In my case, the cluster is not configured with cloud so we usually setup the LoadBalancer manually, which takes a lof of work.

Ingress is still in beta at the time i write this. And it requires to deploy an Ingress controller plus ingress resource configuration, which will will add more overhead so I prefer a quick and simple solution for now. This will be easier and faster to use Kube-door and get something running.

In fact, this is very similar to Service LoadBalancer, but this requires you to run the load balancer on kubernetes nodes. Having the security requirements cleanly separated for internal access and external access is more preferred.


  • Support proxy based by domain
  • Auto update configuration
  • Support TCP load balancing
  • Support SSL termination
  • Support configuration override