docs/en-us/cli/connect.md
Ktctl Connect
---
Create a network tunnel to kubernetes cluster. Basic usage:
```bash
ktctl connect
```
Available options:
```
--mode value Connect mode 'tun2socks' or 'sshuttle' (default: "tun2socks")
--dnsMode value Specify how to resolve service domains, can be 'localDNS', 'podDNS', 'hosts' or 'hosts:<namespaces>', for multiple namespaces use ',' separation (default: "localDNS")
--shareShadow Use shared shadow pod
--clusterDomain value The cluster domain provided to kubernetes api-server (default: "cluster.local")
--disablePodIp Disable access to pod IP address
--skipCleanup Do not auto cleanup residual resources in cluster
--includeIps value Specify extra IP ranges which should be route to cluster, e.g. '172.2.0.0/16', use ',' separated
--excludeIps value Do not route specified IPs to cluster, e.g. '192.168.64.2' or '192.168.64.0/24', use ',' separated
--disableTunDevice (tun2socks mode only) Create socks5 proxy without tun device
--disableTunRoute (tun2socks mode only) Do not auto setup tun device route
--proxyPort value (tun2socks mode only) Specify the local port which socks5 proxy should use (default: 2223)
--proxyAddr value (tun2socks mode only) Specify the ip address or hostname which socks5 proxy should use
--dnsCacheTtl value (local dns mode only) DNS cache refresh interval in seconds (default: 60)
```
Key options explanation:
- `--mode` provides two ways to connect to the cluster. Modifying this parameter is not recommended unless the default `tun2socks` mode cannot be used for specific reasons or the routing of certain IP ranges needs to be excluded.
- `--dnsMode` provides three ways to resolve the domain name of the cluster service.
The `localDNS` mode will start a temporary domain name resolution service locally, which can try resolve domain name in cluster first then follow with system upstream domain names service. You can specify a list of dns address to lookup with in `localDNS:<dns1>,<dns2>` format, the dns can be written as `IP:PORT` or use special value `upstream` and `cluster`;
The `podDNS` mode will use the domain name service of the cluster to resolve all domains,
The `hosts` mode is used to limit the service domain names that are only allowed to access the specified Namespace locally. You can specify a list of accessible Namespaces in the `hosts:<namespaces>` format, separated by commas, such as `--dnsMode hosts:default,dev,test` , by default, only the services of the Namespace where the Shadow Pod is located can be accessed.
- The `--shareShadow` parameter allows all developers working under the same Namespace to share a Shadow Pod, which can save cluster resources to a certain extent, but when the Shadow Pod crashes accidentally, it will affect all developers at the same time.
- The `--proxyAddr` parameter is only valid when `--disableTunDevice` parameter is also used, since the local TUN device require a socks proxy listening to `127.0.0.1`.