Sign in Subscribe
Concepts

Why Secure Access to Databases with kubectl

Andrios Robert

1 min read

The database port was open only to the cluster. You needed it now, but not from inside the pod.

kubectl can give you secure, on-demand access to that database without exposing it to the internet. By forwarding the port through your Kubernetes API connection, you skip public endpoints, bypass firewall changes, and keep traffic in encrypted tunnels.

Why Secure Access to Databases with kubectl
Databases inside Kubernetes are often shielded by private network policies. This default isolation improves security but makes direct queries harder. Many teams work around it by exposing the database service publicly. That step invites risk. Using kubectl port-forward or kubectl exec avoids that risk. It relies on the same TLS-secured channel as the rest of your kubectl commands.

kubectl Port Forward for Database Access

  1. Connect with your local client to localhost:5432.

Forward the local port to the pod’s port:

kubectl port-forward pod/postgres-0 5432:5432 -n database

Identify the pod running the database:

kubectl get pods -n database

The connection now runs inside the Kubernetes control plane’s authenticated and encrypted path. No inbound port is opened. No security group changes are needed.

kubectl exec for Direct Queries
If you only need to run one-off queries:

kubectl exec -it pod/postgres-0 -n database -- psql -U myuser mydb

This runs the client inside the pod’s network space. Data never leaves the internal cluster network except in your secure control stream.

Best Practices

  • Run commands from a machine with controlled kubeconfig access.
  • Limit permissions in Kubernetes RBAC so only approved users can open tunnels.
  • Log and monitor kubectl activity for auditing.
  • Use short-lived sessions.

Securing database access with kubectl is fast to set up and reduces the attack surface. You keep the database private while enabling flexible, authenticated access for developers and automation.

If you want this kind of secure access without manual port-forwards or complex scripts, try hoop.dev and see it live in minutes.