Kubernetes Port Forwarding - Error listen tcp4 127.0.0.1:88: bind: permission denied

Question

I am using minikube on my local machine. Getting this error while using kubernetes port forwarding. Can anyone help?

mjafary$ kubectl port-forward  sa-frontend 88:80

Unable to listen on port 88: All listeners failed to create with the following errors: 
Unable to create listener: Error listen tcp4 127.0.0.1:88: bind: permission denied, Unable to create listener: Error listen tcp6 [::1]:88: bind: permission denied
error: Unable to listen on any of the requested ports: [{88 80}] 

Answer 1

kubectl fails to open the port 88 because it is a privileged port. All ports <1024 require special permissions.

There are many ways to solve your problem.

• You can stick to ports >= 1024, and use for example the port 8888 instead of 88: kubectl port-forward sa-frontend 8888:80
• You could use kubectl as root: sudo kubectl port-forward sa-frontend 88:80 (not recommended, kubectl would then look for its config as root)
• You could grant the kubectl binary the capability to open privileged ports. This answer explains in depth how to do this.

If you want to go for the 3rd option, here is a short way of doing it:

sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/kubectl

This will let kubectl open any port while still running with the privileges of a regular user. You can check if this worked by using

sudo getcap /usr/bin/kubectl 
/usr/bin/kubectl = cap_net_bind_service+eip

Be aware that this grants the permission to whoever uses the binary. If you want finer grained permissions, use authbind.

Note: as ng-sek-long commented, kubectl is not necessarily installed as /usr/bin/kubectl. You should replace it with the path to the kubectl binary on your machine.

Answer 2

As mentioned by user48678 you can bypass the limitation using sudo.

Add -E flag to pass environment.

mjafary$ sudo -E kubectl port-forward  sa-frontend 88:80

If you don't pass -E, the KUBECONFIG environment variable will not be set for example.