Beginning with WebLogic Kubernetes Operator version 3.3.2,
or earlier if you are using an
Istio-enabled domain,
you can use the kubectl port-forward
command to set up external access for
the WebLogic Server Administration Console, the Remote Console, and WLST.
This approach is particularly useful for managing WebLogic
from a private local network without exposing WebLogic’s ports to a public network.
Here are the steps:
Externally exposing administrative, RMI, or T3 capable WebLogic channels
using a Kubernetes NodePort
, load balancer,
port forwarding, or a similar method can create an insecure configuration.
For more information, see External network access security.
To enable a kubectl port-forward
command to communicate
with a WebLogic Administration Server Pod, the operator
must modify the Administration Server configuration
to add network channels (Network Access Points)
with a localhost
address for each existing administration protocol capable port.
This behavior depends on your version and domain resource configuration:
If Istio is not enabled on the domain or for Istio enabled domains running
Istio 1.10 and later, this behavior is configurable on the domain resource using the
domain.spec.adminServer.adminChannelPortForwardingEnabled
domain resource attribute.
For details about this attribute, run the
kubectl explain domain.spec.adminServer.adminChannelPortForwardingEnabled
command or see the domain resource
schema.
If WLST access is required for Istio-enabled domains running Istio versions prior to 1.10, you must add an additional network channel to the WebLogic Administration Server configured with the following attributes:
t3
.localhost
. (Note: Setting the address to localhost is solely
for self-documenting purposes. The address can be set to any value, and the operator will override
it to the required value.)HTTP
protocol for this network channel.external listen address
or external listen port
.For Istio-enabled domains running Istio versions prior to 1.10, if console only access is required, then it is not necessary to add an additional network channel to the WebLogic Administration Server.
For example, here is a snippet of a WebLogic domain config.xml
file for channel PortForward
for the Administration Server.
<server>
<name>admin-server</name>
<network-access-point>
<name>PortForward</name>
<protocol>t3</protocol>
<listen-address>localhost</listen-address>
<listen-port>7890</listen-port>
<http-enabled-for-this-protocol>true</http-enabled-for-this-protocol>
</network-access-point>
</server>
For Model in Image (MII) and Domain in Image (DII), here is a snippet model configuration for channel PortForward
for the Administration Server.
topology:
...
Server:
'admin-server':
ListenPort: 7001
NetworkAccessPoint:
PortForward:
Protocol: 't3'
ListenAddress: 'localhost'
ListenPort: '7890'
HttpEnabledForThisProtocol: true
If your domain is already running, and you have made configuration changes, then you will need to rerun its introspector job and ensure that the admin pod restarts for the configuration changes to take effect.
If Istio is not enabled on the domain or for Istio enabled domains running Istio 1.10 and later, when administration channel port forwarding is enabled, the operator automatically adds the following network channels (also known as Network Access Points) to the WebLogic Administration Server Pod:
Description | Channel Name | Listen Address | Port | Protocol |
---|---|---|---|---|
When there’s no administration port or administration channels configured, and a non-SSL default channel exists | internal-t3 | localhost | Server listening port | t3 |
When there’s no administration port or administration channels configured, and an SSL default channel exists | internal-t3s | localhost | Server SSL listening port | t3s |
When an administration port is enabled | internal-admin | localhost | WebLogic administration port | admin |
When one or more custom administration channels are configured | internal-admin${index} (where ${index} is a number that starts with 1 and increases by 1 for each custom administration channel) | localhost | Custom administration port | admin |
If you have
set up WebLogic Administration Server network channels for port forward access,
then you can run a kubectl port-forward
command to access such a channel. The command:
localhost
on the machine where you run the command.Port forwarding occurs as long as the remote pod and the command are running. If you exit the command, then the forwarding stops and the local port and address is freed. If the pod cycles or shuts down, then the forwarding also stops and the command must be rerun after the pod recovers in order for the forwarding to restart.
The kubectl port-forward
command has the following syntax:
kubectl port-forward K8S_RESOURCE_TYPE/K8S_RESOURCE_NAME [options] LOCAL_PORT:REMOTE_PORT_ON_RESOURCE
For detailed usage, see port-forward in the Kubernetes reference documentation and run kubectl port-forward -h
.
For examples, notes, and warnings, see the Port forward example and Port forward notes and warnings.
For example, if you have a WebLogic domain with:
domain1
mynamespace
admin-server
listening on non-SSL listen port 7001
And, you have set up WebLogic Administration Server network channels for port forward access for this domain,
then you can run either of the following commands to forward local port 32015
to
the Administration Server Pod:
kubectl port-forward pods/domain1-admin-server -n mynamespace 32015:7001
or
kubectl port-forward service/domain1-admin-server -n mynamespace 32015:7001
The command output will be similar to the following:
Forwarding from 127.0.0.1:32015 -> 7001
In this example:
You can access the WebLogic Server Administration Console
at the http://localhost:32015/console
URL by using a browser
on the machine where you run the kubectl port-forward
command.
You can use WLST
on the machine where you run the kubectl port-forward
command
to connect to t3://localhost:32015
as shown:
$ $ORACLE_HOME/oracle_common/common/bin/wlst.sh
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
wls:/offline> connect('myadminuser','myadminpassword','t3://localhost:32015')
Connecting to t3://localhost:32015 with userid myadminuser ...
Successfully connected to Admin Server "admin-server" that belongs to domain "base_domain".
Warning: An insecure protocol was used to connect to the server.
To ensure on-the-wire security, the SSL port or Admin port should be used instead.
wls:/base_domain/serverConfig/> exit()
Security warning: A port-forward connection can expose a WebLogic T3 or administrative channel outside the Kubernetes cluster. For domain security considerations, see External network access security.
Working with administration or SSL ports:
If a WebLogic administration port is configured and enabled on the Administration Server,
then you will need to forward to this port instead of its pod’s other ports.
In this case, the Administration Console access requires using the secure
https
protocol and WLST access requires using t3s
protocol.
Similarly, if forwarding to an SSL port, then this requires using
the https
and t3s
protocols for Administration Console and WLST access respectively.
Recovering from pod failures and restarts: A port-forward connection terminates after the pod instance fails or restarts. You can rerun the same command to establish a new forwarding session and resume forwarding.
Using WLST when the local port differs from the remote port: If you are setting up WLST access and your port forwarding local port is not going to be the same as the port number on the WebLogic Administration Server Pod, then see Enabling WLST access when local and remote ports do not match for an additional required setup step.
Specifying a custom local IP address for port forwarding:
Specifying a custom local IP address for port forwarding allows you to run WLST or your browser on a different machine than the port forward command.
You can use the --address
option of the kubectl port-forward
command
to listen on specific IP addresses instead of, or in addition to, localhost
.
The --address
option only accepts numeric IP addresses
or localhost (comma-separated) as a value.
For example, to enable Administration Console access at
http://my-ip-address:32015/console
, the command:
kubectl port-forward --address my-ip-address pods/domain1-admin-server -n mynamespace 32015:7001
See kubectl port-forward -h
for help and examples.
Optionally let kubectl port-forward
choose the local port:
If you don’t specify a local port in your port forward command, for example:
kubectl port-forward pods/domain1-admin-server -n mynamespace :7001
Then the command finds a local port number that is not in use, and its output is similar to:
Forwarding from 127.0.0.1:63753 -> 7001
And the Administration Console is accessible using the http://localhost:63753/console
URL.
If a local (forwarded) port number is not the same as the administration port number,
then WLST access will not work by default and you may see a BEA-000572
RJVM error
in the Administration Server logs:
<Aug 30, 2021 9:33:24,753 PM GMT> <Error> <RJVM> <BEA-000572> <The server rejected a connection attempt JVMMessage from: '-2661445766084484528C:xx.xx.xx.xxR:-5905806878036317188S:domain1-admin-server:domain1:admin-server' to: '0B:xx.xx.xx.xx:[-1,-1,32015,-1,-1,-1,-1]' cmd: 'CMD_IDENTIFY_REQUEST', QOS: '102', responseId: '-1', invokableId: '-1', flags: 'JVMIDs Sent, TX Context Not Sent, 0x1', abbrev offset: '114' probably due to an incorrect firewall configuration or administrative command.><
To work around the problem, configure the JAVA_OPTIONS
environment variable
for your Administration Server with the -Dweblogic.rjvm.enableprotocolswitch=true
system property
in your domain resource YAML.
For more information on this switch, refer to MOS ‘Doc 860340.1’.
A port-forward connection is active only while the kubectl port-forward
command is running.
You can terminate the port-forward connection by pressing CTRL+C in the terminal where the port forward command is running.
If you run the command in the background, then you can kill the process with the kill -9 <pid>
command. For example:
$ ps -ef | grep port-forward
oracle 27072 25312 1 21:45 pts/3 00:00:00 kubectl -n mynamespace port-forward pods/domain1-admin-server 32015:7001
oracle 27944 11417 0 21:45 pts/1 00:00:00 grep --color=auto port-forward
$ kill -9 27072