通过 kubectl 和 socat 进行 K8s 端口转发

tag-icon tag-icon socat
通过 kubectl 和 socat 进行 K8s 端口转发

我的 k8s pod 正在连接到某个 https 目标。此目标无法从我的本地计算机访问,因此我想使用kubectl proxy+socat使该目标在我的本地计算机上可用,以进行本地开发。

问题是我甚至无法让 socat 工作,而且我很困惑为什么。

首先我检查我的 pod 上的目标连接:

curl -v -k https://target/rest/
Trying 54.136.137.42:443...
* TCP_NODELAY set

[...]

{"message":"key header missing"}

此消息是来自的默认回复目标当一个人不提供身份验证信息时,一切都正常。

现在我使用本地端口为1234的socat:

socat tcp-listen:1234,reuseaddr,fork tcp:target:443

但是,当我现在尝试 curl 目标时,我只得到 404,就像 socat 从未启动一样。这样可以吗?我使用 socat 的方式错误吗?这与 TLS 有关吗?

HTTP:

curl -v -k http://localhost:1234/rest/
*   Trying ::1:1234...
* TCP_NODELAY set
* connect to ::1 port 1234 failed: Connection refused
*   Trying 127.0.0.1:1234...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 1234 (#0)
> GET /rest/ HTTP/1.1
> Host: localhost:1234
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Mon, 17 Jul 2023 07:49:05 GMT
< Content-Length: 19
< 404 page not found
* Connection #0 to host localhost left intact

HTTPS:

curl -v -k https://localhost:1234/rest/
*   Trying ::1:1234...
* TCP_NODELAY set
* connect to ::1 port 1234 failed: Connection refused
*   Trying 127.0.0.1:1234...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 1234 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=DE; ST=NRW; L=Munich; O=AG; CN=digital-int.app.intra.net
*  start date: Dec  2 08:20:52 2021 GMT
*  expire date: Dec  2 08:20:52 2023 GMT
*  issuer: C=DE; O=AG; CN=Corp-Issuing-CA01-G2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5997a85d52f0)
> GET /rest/ HTTP/2
> Host: localhost:1234
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 404
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< content-length: 19
< date: Mon, 17 Jul 2023 11:40:36 GMT
<
404 page not found
* Connection #0 to host localhost left intact

答案1

看起来一切socat如预期般顺利。您收到 404 错误,因为发送到的请求target包含Host: localhost:1234。您需要curl按如下方式修改命令:

curl -v -k https://target/rest/ --connect-to target:443:127.0.0.1:1234

相关内容