Last modified February 23, 2017

Accessing Pods and Services from the Outside

Once you have a Pod or Service running on your cluster, you might want to access it from outside your cluster. There’s currently three ways to do that:

Setting up a Public Ingress

Your Giant Swarm cluster comes with an Ingress Controller based on NGINX, which we run for you in your cluster. You can expose Services publicly by setting up a simple Ingress. You can do this with an ingress manifest (e.g. myingress.yaml) that looks like following template (replace accordingly) in the same namespace as the service you want to expose.

apiVersion: extensions/v1beta1
kind: Ingress
  name: <ingress-name>
  namespace: <namespace-name>
  - host: <yourchoice>.<cluster-id>
      - path: /
          serviceName: <service-name>
          servicePort: <service-port>

You can apply the ingress resource with kubectl apply -f myingress.yaml. You can also leave out the namespace line in the yaml and instead use kubectl apply --namespace <namespace> --filename myingress.yaml.

A few moment later you will be able to access your service publicly at:


Currently, this is limited to exposing by default on port 80. Support for TLS will be added soon.

For additional features and options, please see our documentation around Advanced Ingress Configuration.

Forwarding an authenticated port with kubectl port-forward

Forwarding a port with kubectl is fairly easy, however, it only works with single Pods and not with Services. Thus you need the exact pod name. You can either get this manually by running

kubectl --namespace=<namespace> get pods

and looking for the right pod name. Or by running following script.

POD=$(kubectl get pods --namespace <namespace> --selector <label-key>=<label-value> \
    -o template --template '{{range .items}}{{}} {{.status.phase}}{{"\n"}}{{end}}' \
    | grep Running | head -1 | cut -f1 -d' ')

Be sure to have your Pod labeled accordingly so you can find it with the above selector.

After this you can run

kubectl port-forward --namespace <namespace> $POD <local-port>:<pod-port>

or to have it running in the background

kubectl port-forward --namespace <namespace> $POD <local-port>:<pod-port> &

Now you can access your Pod locally via localhost:<local-port>.

Access any Service from through the API proxy

The Kubernetes API comes with an inbuilt proxy, which you can use to access Services deployed on your cluster. The URL schema is


Access will only be granted to clients which

  • trust the API’s server certificate, which means they trust the Certificate Authority (CA) that signed it and
  • provide a valid client certificate.

The Giant Swarm web user interface shows you how to obtain the certificate files.

To make these certificates available to HTTP clients/browsers, see our guide Establishing Trust to Your Cluster’s CA and Importing Certificates which explains this for different clients on various platforms.

Further reading