Skip to content

Add reverse port forwarding support #9611

New issue
New issue
Open
#9612
Open
Add reverse port forwarding support#9611
#9612
@willianpaixao

Description

@willianpaixao
willianpaixao
opened on Nov 20, 2025

Problem Statement

Currently, CRI-O only supports traditional (forward) port forwarding where the
host connects to a port in the container. There are scenarios where it's useful
to have the reverse: a listener in the container that forwards connections back
to the host.

Use Cases

  1. Development Workflows: Allow containerized applications to connect to
    databases or services running on the developer's host machine without
    complex network configuration.

  2. IDE Debugging: Enable containers to connect back to debugger interfaces
    running on the host (e.g., Java remote debugging, Python debugpy).

  3. Service Mesh Testing: Test service mesh proxies that need to connect to
    control plane components on the host.

  4. CI/CD Pipelines: Allow test containers to access mock services or test
    fixtures running on the CI runner.

Proposed Solution

Implement reverse port forwarding that:

  • Creates a TCP listener in the container's network namespace
  • Waits for the container to connect to localhost:port
  • Forwards the connection back to the host stream
  • Is controlled via a pod annotation: io.cri-o.reverse-ports: "8080,9090"

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions