All posts
ConceptsOctober 16, 20251 min read

Debugging Kubernetes Services with kubectl and socat

The pod sat running, but you couldn’t reach it. The logs were clean. The service was fine. The firewall was open. And still—no connection. This is where kubectl and socat work together like a scalpel. With kubectl exec and socat, you can bridge a port from inside a pod to your local system without exposing it cluster-wide. It’s precise, private, and fast. Why kubectl socat matters Sometimes you need to debug a service that isn’t exposed externally. Port-forwarding is common, but kubectl port-f

Free White Paper

Kubernetes RBAC: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The pod sat running, but you couldn’t reach it. The logs were clean. The service was fine. The firewall was open. And still—no connection.

This is where kubectl and socat work together like a scalpel. With kubectl exec and socat, you can bridge a port from inside a pod to your local system without exposing it cluster-wide. It’s precise, private, and fast.

Why kubectl socat matters
Sometimes you need to debug a service that isn’t exposed externally. Port-forwarding is common, but kubectl port-forward relies on Kubernetes API tunnels and has quirks with certain protocols. socat can proxy raw TCP, UDP, and UNIX sockets directly. Pairing it with kubectl exec lets you create bidirectional pipes on demand, hitting targets inside the cluster with zero YAML changes.

Basic example
First, run socat inside the pod:

kubectl exec -it my-pod -- socat TCP-LISTEN:9000,fork TCP:internal-service:80

This listens on port 9000 in the pod and forwards to an internal service on port 80.

Then, from your local machine, set up port forwarding with kubectl port-forward:

Continue reading? Get the full guide.

Kubernetes RBAC: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
kubectl port-forward my-pod 9000:9000

Now, hitting localhost:9000 reaches the internal service.

Direct remote access with kubectl exec and local socat
If you want no temporary container changes, use kubectl exec to run socat commands dynamically:

kubectl exec -it my-pod -- sh -c "socat TCP-LISTEN:8080,fork TCP:target-service:443"

This is ideal for one-off debugging, SSL testing, or hitting unusual ports.

Security considerations
Run this only against trusted pods. Anything inside the cluster will be reachable from the bound port. Clean up by deleting forwards and killing socat processes when done.

When to use

  • Debugging protocols that fail with kubectl port-forward
  • Tunneling to database ports without making them public
  • Testing internal microservices from a laptop

kubectl socat gives you cluster access without redeploying or exposing services. It’s a sharp tool for quick, secure tunnels.

See how you can do this with a managed workflow—sign in to hoop.dev and try it live in minutes.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts