GKE: secured access to services from outside the cluster

Question

Is there any way to access the \'internal\' services (those not exposed outside) of the cluster in a secure way from the outside.

The goal is simple: I need to debug

Answer 1

You can do this with a combination of running kubectl proxy on your dev machine and using the proxying functionality built into the master (that's a lot of proxying, but bear with me).

First, run kubectl proxy. Note the port that is bound locally (it should be 8001 by default). This will cause kubectl to create a tunnel to your master instance that you can hit locally without needing to pass any authentication (technically, you can do all of the following steps without doing this first by hitting the master directly, but this is simpler for debugging).

Next, point a client (web browser, curl, etc) at http://localhost:8001/api/v1/proxy/namespaces//services//, replacing with the namespace in which your service is configured and with the name of your service. You can also append a particular request path to the end of the URL, so if your pods behind the service are hosting a file called data.json you would append that to the end of the request path.

This is how the update-demo tutorial works, so if you get stuck I'd recommend walking through that example and taking a close look at what the javascript does (it isn't too complicated).