Understand the request path
See how outprobe works, including relay dispatch and the reverse tunnel.
outprobe has two halves: a laptop CLI and an in-cluster relay. The CLI creates the relay and routing objects, opens a reverse tunnel through a Kubernetes port-forward, and forwards matched requests to your local app.
You need:
kubectl in your PATH, with a working kubeconfig;http://localhost:8080);Gateway API is needed only for optional browser/ingress interception. Docker is needed only when pulling or running a container image.
brew install outprobe/outprobeoutprobe --helpThis is the laptop CLI used for init, up, down, status, and routes.
brew install outprobe/outprobe-relayInstall the relay formula when you need the standalone relay binary.
docker pull ghcr.io/flaticols/outprobe-relay:v0.0.16This is the relay image deployed in the cluster. Pin the same tag in .outprobe.yaml for a reproducible setup:
image: ghcr.io/flaticols/outprobe-relay:v0.0.16From the project where you run your local service:
outprobe initThis writes .outprobe.yaml without overwriting an existing file. Its first line points editors at the hosted schema:
# yaml-language-server: $schema=https://outprobe.dev/schemas/outprobe.schema.jsonUse outprobe init --manifests only if you also want editable copies of the Kubernetes manifests under .outprobe/.
Start with the smallest useful config:
version: "0.0.1"
namespace: my-namespacetarget: my-serviceimage: ghcr.io/flaticols/outprobe-relay:v0.0.16localTarget: http://localhost:8080
rules: - type: jwt property: "" # top-level claim matchers: - key: email value: you@example.comThe value must equal the value carried by your request. For an email claim, useful lookups are:
| Provider | Command | Note |
|---|---|---|
| GKE / gcloud | gcloud config get-value account |
Usually the email in the token. |
| fly.io | fly auth whoami |
Returns your email. |
| AWS | aws sts get-caller-identity |
Returns an ARN, not necessarily your JWT email. |
| Any provider | Decode the bearer token at jwt.io | The token claim is the source of truth. |
Prefer a header instead? Replace the rule with:
rules: - type: header matchers: - key: x-debug-user value: denisSee Request matching for namespaced claims, feed filters, and current v1 rule selection.
Run a local copy of the target service at the configured localTarget. With the default:
http://localhost:8080Run it under Delve or attach your editor if you want to stop at a breakpoint. outprobe forwards the original method, path, headers, and body to this endpoint.
outprobe upThe CLI will:
When ready, the log ends with a line similar to:
outprobe is live — drive the app; Ctrl-C to tear down mode=divert target=my-namespace/my-service match="jwt email=you@example.com" local=http://localhost:8080Drive the shared application. Requests with your matching claim or header should now reach the local service; unmatched requests continue to the real target.
Press Ctrl-C to tear down. outprobe deletes routing objects first, then the relay, so direct routing is restored before the pod disappears.
If a previous process exited unexpectedly:
outprobe statusoutprobe downUnderstand the request path
See how outprobe works, including relay dispatch and the reverse tunnel.
Choose a safer mode
Catch browser traffic
Add a narrowly scoped Gateway API route with the ingress guide.
Call cluster dependencies
Expose in-cluster TCP services locally through egress tunnels.