Remote kubectl Kubernetes

Access remote Kubernetes clusters through NFLTR tunnels. Run kubectl, helm, and k9s from anywhere — without VPN, bastion hosts, or exposing the Kubernetes API server to the internet.

Architecture

Deploy an NFLTR agent inside (or next to) your Kubernetes cluster. The agent tunnels port 6443 (kube-apiserver) back to the NFLTR server. From your workstation, run nfltr tcp to create a local port that connects to the remote cluster's API.

Setup

1. Deploy the agent in your cluster

# Using kubectl to run the agent as a Pod
kubectl run nfltr-agent --image=ghcr.io/onpremlink/nfltr \
  -- tcp 6443 \
  --server grpc.nfltr.xyz:443 \
  --api-key $NFLTR_API_KEY \
  --name prod-k8s \
  --forward kubernetes.default.svc:6443

2. Connect from your workstation

# Create local port mapping to the remote cluster
nfltr tcp-connect prod-k8s 6443 --listen :6443

# Now kubectl works as if the cluster is local
kubectl --server=https://localhost:6443 get pods
helm list
k9s

3. Update kubeconfig (optional)

# Add a context pointing to the tunnel
kubectl config set-cluster tunnel-prod \
  --server=https://localhost:6443 \
  --insecure-skip-tls-verify

kubectl config set-context tunnel-prod \
  --cluster=tunnel-prod --user=admin

kubectl config use-context tunnel-prod

What Works Through the Tunnel

Tool	Works?	Notes
`kubectl`	Yes	All subcommands including `exec`, `logs -f`, `port-forward`
`helm`	Yes	Install, upgrade, rollback, list
`k9s`	Yes	Full interactive dashboard
`lens`	Yes	Point at localhost:6443
`ArgoCD CLI`	Yes	Manage apps remotely
`kustomize`	Yes	Apply with `kubectl apply -k`

💡 Multiple clusters

Deploy an agent per cluster with different agent IDs (prod-k8s, staging-k8s, dev-k8s). Switch between them by changing which agent you tunnel to. Combine with fleet management and labels for organized multi-cluster access.

Security

No public API server — The Kubernetes API never needs a public IP or ingress.
Agent auth — The NFLTR agent authenticates with API key or mTLS. Only authorized agents can tunnel.
K8s RBAC still applies — The tunnel carries your kubeconfig credentials. K8s RBAC enforces authorization at the API server.
Audit trail — NFLTR logs which users connect to which agents. Combined with K8s audit logs for full traceability.
Session based — Close the tunnel and access stops immediately. No persistent VPN connection to maintain.

Use Cases

Remote DevOps — Manage production clusters from home without VPN hardware.
Multi-cloud — Access GKE, EKS, and AKS clusters through a single NFLTR server.
Customer clusters — Debug customer Kubernetes environments with a shared agent.
Air-gapped clusters — Reach clusters in isolated networks via a single outbound agent connection.
CI/CD deployment — Deploy to clusters from GitHub Actions without exposing the API server.

kubectl from anywhere

Access private Kubernetes clusters through a single tunnel — no VPN required.

CLI Reference On-Premise Access →