The process of sending HTTP requests to Kubernetes pods is traditionally characterized by a high degree of complexity, often requiring multiple layers of orchestration, such as configuring ingress controllers, managing port-forwarding manually, or executing commands within a sidecar container. This complexity creates a significant friction point for developers and system administrators who need to perform rapid API testing, health checks, or debugging of internal services. To mitigate these challenges, the kubectl-curl plugin has been developed. This utility transforms the interaction model by automating the underlying connectivity requirements, allowing the user to execute curl commands against Kubernetes pods as if they were accessible on the local network. By abstracting the networking layer, the plugin eliminates the manual overhead of port-forwarding and URL rewriting, thereby accelerating the development lifecycle and reducing the time required to diagnose connectivity issues within a cluster.
The Kubectl-Curl Plugin Architecture
The kubectl-curl plugin is specifically designed to simplify the process of directing HTTP requests toward Kubernetes pods. Rather than requiring the user to establish a manual tunnel or configure a complex networking path, the plugin automates the connectivity pipeline.
When a user executes a kubectl curl command, the plugin performs several synchronized operations:
- The plugin identifies the target Kubernetes pod based on the provided URL or resource reference.
- It establishes a temporary port forwarding link from the local network to the selected Kubernetes pod.
- It dynamically rewrites the provided URL to point to the newly created local forwarded port.
- It passes all original curl options provided on the command line directly to the instantiated curl command.
The impact of this architecture is a streamlined workflow where the developer no longer needs to track local port assignments or manage the lifecycle of kubectl port-forward processes in a separate terminal window. This creates a dense integration between the local development environment and the remote cluster state.
Installation and Verification of Kubectl-Curl
To utilize the kubectl-curl plugin, the system must have the Go programming language installed and configured correctly.
The installation is dependent on the GOPATH/bin directory being present in the system's PATH environment variable. If this condition is met, the plugin can be installed using the following command:
go install github.com/segmentio/kubectl-curl@latest
Once the installation process is complete, it is critical to verify that the binary is correctly registered as a kubectl plugin. This is achieved by listing all available plugins:
kubectl plugin list
A successful installation will result in the plugin being visible in the output, typically listed as:
/.../kubectl-curl
Failure to see this entry indicates an issue with the PATH configuration or the Go installation process, which would prevent the kubectl curl command from being recognized by the Kubernetes CLI.
Operational Usage and Target Selection
The kubectl-curl plugin employs a specific syntax to define how requests are routed to the cluster. The general command structure is as follows:
kubectl curl [options] URL [container]
The plugin provides significant flexibility in how the host part of the URL is defined, allowing users to target specific pods or broader resource groups.
- podName: If a specific pod name is provided, the request is directed exactly to that pod.
- Resource references: The plugin supports targeting resources such as
deployment/deploymentName. When this method is used, the request is sent to a random pod associated with that specific resource.
The plugin supports several abbreviations for these resources to increase typing efficiency:
- deploy: Shorthand for deployment.
- sts: Shorthand for statefulset.
- ds: Shorthand for daemonset.
Regarding port configuration, if the user does not specify a port number in the URL, the plugin defaults to sending the request to an http port. This behavior ensures that basic API calls can be made without needing to know the exact port mapping of the container, provided the container is listening on a standard HTTP port.
Core Kubectl Installation for Linux
Before utilizing plugins like kubectl-curl, the primary kubectl binary must be installed. Using the latest compatible version of kubectl is essential to avoid unforeseen issues and ensure compatibility with the cluster's API version.
There are multiple methods for installing kubectl on Linux depending on the hardware architecture.
For x86-64 architecture, the latest release is downloaded using:
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
For ARM64 architecture, the latest release is downloaded using:
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/arm64/kubectl"
If a specific version is required instead of the latest stable release, the $(curl -L -s https://dl.k8s.io/release/stable.txt) segment of the command is replaced with the desired version string. For example, to install version 1.36.0:
For x86-64:
curl -LO https://dl.k8s.io/release/v1.36.0/bin/linux/amd64/kubectl
For ARM64:
curl -LO https://dl.k8s.io/release/v1.36.0/bin/linux/arm64/kubectl
Binary Validation and Installation
To ensure the integrity of the downloaded kubectl binary, an optional but recommended validation process is performed using checksums.
First, the checksum file is downloaded based on the architecture:
For x86-64:
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256"
For ARM64:
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/arm64/kubectl.sha256"
The binary is then validated against the checksum file using the following command:
echo "$(cat kubectl.sha256) kubectl" | sha256sum --check
The output of this command determines the validity of the binary:
- Valid: The output will be
kubectl: OK. - Invalid: The
sha256sumtool will exit with a nonzero status and outputkubectl: FAILEDalong with a warning that the computed checksum did not match.
Once validated, the binary is installed to the system path using root privileges:
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
API Server Access and Authentication
Beyond the kubectl-curl plugin, there are fundamental ways to access the Kubernetes API server. kubectl simplifies this by handling the location of the API server and the authentication process.
One method is using kubectl proxy, which creates a proxy server on the local machine:
kubectl proxy --port=8080 &
Once the proxy is running, the API can be explored using standard tools like curl, wget, or a web browser:
curl http://localhost:8080/api/
An example output from this request provides versioning and server address information:
json
{
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "10.0.1.149:443"
}
]
}
Alternatively, users can bypass the proxy by passing an authentication token directly to the API server. To identify the necessary cluster information, the following command can be used to view the configuration:
kubectl config view -o jsonpath='{"Cluster name\tServer
API Manifest Migration with Kubectl-Convert
The kubectl-convert plugin is another essential tool, particularly used for migrating manifests to non-deprecated API versions when upgrading to newer Kubernetes releases.
The installation process for kubectl-convert mirrors that of the main kubectl binary.
For x86-64:
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl-convert"
For ARM64:
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/arm64/kubectl-convert"
Checksum validation is also performed for this plugin:
For x86-64:
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl-convert.sha256"
For ARM64:
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/arm64/kubectl-convert.sha256"
The validation command is:
echo "$(cat kubectl-convert.sha256) kubectl-convert" | sha256sum --check
A successful result is indicated by kubectl-convert: OK. After validation, the plugin is installed:
sudo install -o root -g root -m 0755 kubectl-convert /usr/local/bin/kubectl-convert
Verification is performed by running the help command:
kubectl convert --help
Once verified, installation files are removed:
rm kubectl-convert kubectl-convert.sha256
Internal Cluster Networking and Connectivity Testing
Testing connectivity from within a pod is a common requirement for diagnosing network issues. This often involves attempting to curl a Service's ClusterIP.
A test pod can be launched using the following command:
kubectl run curl-test --rm -i --tty --image=curlimages/curl – /bin/sh
Within this pod, DNS lookup can be performed to verify the Service's A/AAAA records. For example:
nslookup 10.103.60.54
The output might show the mapped service name:
54.60.103.10.in-addr.arpa name = hello-web.apps.svc.cluster.local
However, network failures can occur even when DNS is working. For instance, attempting to curl the service via DNS:
curl http://hello-web.apps.svc.cluster.local:80
Or via the ClusterIP:
curl http://10.103.60.54:80
Both may result in a connection failure:
curl: (28) Failed to connect to hello-web.apps.svc.cluster.local port 80 after 135674 ms: Could not connect to server
According to official Kubernetes documentation, normal (non-headless) Services are assigned DNS A and/or AAAA records with the format my-svc.my-namespace.svc.cluster-domain.example.
Application Health Testing and Tool Comparison
Using curl and wget within the Kubernetes environment is vital for monitoring application health via specific endpoints.
Common health check commands include:
Liveness check:
kubectl exec -it my-pod -- curl http://my-service:8080/healthz
Readiness check:
kubectl exec -it my-pod -- curl http://my-service:8080/ready
Detailed health checks using jq for parsing:
kubectl exec -it my-pod -- curl http://my-service:8080/health | jq .
To filter for specific health indicators that are not "UP":
kubectl exec -it my-pod -- curl http://my-service:8080/health | jq '.checks[] | select(.status != "UP")'
When choosing between curl and wget for Kubernetes testing, the following comparisons apply:
| Tool | Primary Advantages | Best Use Case |
|---|---|---|
| curl | Better output formatting, more protocol support, easier header manipulation | API Testing |
| wget | Recursive downloads, resume partial downloads, efficient file handling | File Downloads |
Examples of tool-specific usage:
Using curl for API requests with headers:
kubectl exec my-pod -- curl -H "Accept: application/json" http://api:8080/
Using wget for recursive directory downloads:
kubectl exec my-pod -- wget -r -np -nd http://files:8080/documents/
Advanced HTTP Request Methods and Header Manipulation
For comprehensive API testing, developers must utilize various HTTP methods to ensure all functionality is operational.
GET request:
kubectl exec -it my-pod -- curl -X GET http://my-service:8080/users
POST request with JSON data:
kubectl exec -it my-pod -- curl -X POST http://my-service:8080/users \
-H "Content-Type: application/json" \
-d '{"name":"test","email":"[email protected]"}'
PUT request for updates:
kubectl exec -it my-pod -- curl -X PUT http://my-service:8080/users/1 \
-H "Content-Type: application/json" \
-d '{"name":"updated"}'
DELETE request:
kubectl exec -it my-pod -- curl -X DELETE http://my-service:8080/users/1
HEAD request to retrieve headers only:
kubectl exec -it my-pod -- curl -I http://my-service:8080/
Custom headers are often required for authentication or simulating specific clients:
Adding an authorization token:
kubectl exec -it my-pod -- curl http://my-service:8080/api/protected \
-H "Authorization: Bearer TOKEN123"
Adding multiple custom headers:
kubectl exec -it my-pod -- curl http://my-service:8080/ \
-H "X-Custom-Header: value" \
-H "User-Agent: MyApp/1.0"
Reading headers from a local file:
kubectl exec -it my-pod -- curl http://my-service:8080/ \
-H @headers.txt
Network Reliability and Timeout Management
To prevent hanging commands from consuming system resources or delaying troubleshooting, it is imperative to implement timeouts.
Connection timeouts prevent the command from waiting indefinitely for a response from the server:
kubectl exec -it my-pod -- curl --connect-timeout 5 http://my-service:8080/
Maximum time limits the total duration of the entire operation:
kubectl exec -it my-pod -- curl --max-time 10 http://my-service:8080/
A combined approach for strict control:
kubectl exec -it my-pod -- curl --connect-timeout 3 --max-time 10 http://my-service:8080/
For wget users, timeouts are set as follows:
kubectl exec -it my-pod -- wget --timeout=5 -O- http://my-service:8080/
Best Practices for Kubernetes Network Testing
A systematic approach to testing ensures that the root cause of a failure is identified accurately.
- Use timeouts: Always set connection and operation timeouts to avoid hanging processes.
- Verbose logging: Save detailed output to files for later review or sharing with team members.
- Status code extraction: In automated scripts, extract HTTP status codes to ensure tests are parseable and reliable.
- Multi-pod verification: Test from multiple pods to determine if an issue is specific to a single pod instance or a broader network infrastructure problem.
- Tool combination: Use
curlfor API validation andwgetfor data retrieval tasks.
Analysis of Kubernetes Connectivity Workflows
The integration of kubectl-curl represents a significant evolution in how engineers interact with distributed systems. Traditionally, the "wall" between the local machine and the pod network required manual intervention. By automating the port-forwarding and URL rewriting process, kubectl-curl essentially treats the cluster as a local development environment.
When comparing this to the standard kubectl exec method, the difference is one of context. Using kubectl exec to run curl requires a shell and curl binary to be present inside the target container. This creates a dependency on the container image (e.g., using curlimages/curl). If the production image is "distroless" or stripped for security, kubectl exec becomes impossible. In contrast, kubectl-curl operates from the outside, utilizing the Kubernetes API to bridge the gap, making it a more versatile tool for secure, minimal images.
However, the failure of internal ClusterIP requests, as seen in common troubleshooting scenarios, highlights that tool-level success does not guarantee network-level success. The gap between a DNS record existing (nslookup success) and a connection being established (curl failure) points to deeper issues such as NetworkPolicies, service mesh restrictions, or incorrect port configurations. Therefore, the use of kubectl-curl should be paired with a rigorous understanding of the Kubernetes networking stack, including DNS resolution and the behavior of non-headless services.
Ultimately, the efficacy of these tools depends on the user's ability to implement the best practices mentioned—specifically the use of timeouts and multi-pod verification. Without these, a developer might misinterpret a slow response as a complete failure or a pod-specific network glitch as a global service outage.