Sign in Subscribe
Concepts

Debugging Kubernetes Services with kubectl and socat

Andrios Robert

1 min read

The pod sat running, but you couldn’t reach it. The logs were clean. The service was fine. The firewall was open. And still—no connection.

This is where kubectl and socat work together like a scalpel. With kubectl exec and socat, you can bridge a port from inside a pod to your local system without exposing it cluster-wide. It’s precise, private, and fast.

Why kubectl socat matters
Sometimes you need to debug a service that isn’t exposed externally. Port-forwarding is common, but kubectl port-forward relies on Kubernetes API tunnels and has quirks with certain protocols. socat can proxy raw TCP, UDP, and UNIX sockets directly. Pairing it with kubectl exec lets you create bidirectional pipes on demand, hitting targets inside the cluster with zero YAML changes.

Basic example
First, run socat inside the pod:

kubectl exec -it my-pod -- socat TCP-LISTEN:9000,fork TCP:internal-service:80

This listens on port 9000 in the pod and forwards to an internal service on port 80.

Then, from your local machine, set up port forwarding with kubectl port-forward:

kubectl port-forward my-pod 9000:9000

Now, hitting localhost:9000 reaches the internal service.

Direct remote access with kubectl exec and local socat
If you want no temporary container changes, use kubectl exec to run socat commands dynamically:

kubectl exec -it my-pod -- sh -c "socat TCP-LISTEN:8080,fork TCP:target-service:443"

This is ideal for one-off debugging, SSL testing, or hitting unusual ports.

Security considerations
Run this only against trusted pods. Anything inside the cluster will be reachable from the bound port. Clean up by deleting forwards and killing socat processes when done.

When to use

  • Debugging protocols that fail with kubectl port-forward
  • Tunneling to database ports without making them public
  • Testing internal microservices from a laptop

kubectl socat gives you cluster access without redeploying or exposing services. It’s a sharp tool for quick, secure tunnels.

See how you can do this with a managed workflow—sign in to hoop.dev and try it live in minutes.