Proxy & Tunneling for OpenShift

Tom Lous
2 min readJan 6, 2022


As a data engineer I often have to do stuff with kubernetes.
Sometimes I’m lucky and get a client that uses some cloud hosted solution, but often they’ll have some mega kubernetes cluster running on something that is only accessible via some bastion host via a vpn connection.
Which is secure and good of course, but also gives me a lot of headaches to access the cluster from my local machine.

The hard part of ssh is 99% of the time remembering how to do it again, since I don’t create tunnels / proxies on a daily basis.

So this article is more for me then anyone in particular, but maybe it helps someone, which will increase the effectiveness :-)

The setup

[ Developer ] → [ Bastion ] → [ Open Shift Cluster ]

The Developer (me) on their macbook wants to connect to the Open Shift Cluster. Using fancy oc commands and such. Unfortunately there is this bastion in the way.

First we’ll define access to this bastion in some ssh config

Host client-bastion
User linux_user_on_bastion
IdentityFile ~/.ssh/id_rsa


Normally you can create ssh config that jumps via that bastion to the specified server like so (with some more config)

Host client-openshift
ProxyJump client-bastion:22

But the oc command doesn’t look at ssh config when connecting to the API unfortunately.


So we need to setup a tunnel to the openshift api. The downside is that this tunnel is always on and hard so manage using standard ssh.
A cool trick is to add a ControlPath to the bastion, making tunnels easier to manage

Host client-bastion
User linux_user_on_bastion
IdentityFile ~/.ssh/id_rsa
ControlPath ~/.ssh/control/client-bastion.ctl

(make sure the directory exists :-)

Now we can create a tunnel

ssh -fNTML client-bastion

-fRun in the background before command execution.
-NDon’t execute any commands
-TDisable pseudo-tty allocation.
-MPut control socket in master mode
-LDo the port forwarding (listening)


Now we can actually manage this connection more easily

ssh -TO check client-bastion to check the tunnel status

and ssh -TO exit client-bastion to close the tunnel

Make life even easier to create some aliases in your .bashrc / .zshrc

alias ocproxy-up='ssh -fNTML 6443:api-access.for.openshift.cluster.coml:6443 client-bastion'
alias ocproxy-status='ssh -TO check client-bastion'
alias ocproxy-down='ssh -TO exit client-bastion'


Now you can just


Login into openshift (don’t add the --server , oc connects to your localhost:6443 now)

oc login --token=sha256~....

and do some open shift commands

Don’t forget to close the tunnel




Tom Lous

Freelance Data & ML Engineer | husband + father of 2 | #Spark #Scala #ZIO#BigData #ML #Kafka #Airflow #Kubernetes | Shodan Aikido