Developer DevOps Engineer Platform Engineer

Secure access to
any Kubernetes service.

Connect to databases, internal tools, and APIs running in your clusters — without exposing them publicly or managing VPNs. Tunnel routes traffic through mogenius with full RBAC enforcement and audit logging. No kubeconfig required.

Talk to Us See How It Works →

🌐

Secure Access URL

tunnel.mogenius.com

🔒 SECURE TUNNEL

⚙

Internal K8s Service

production/postgres:5432

No public exposure

Every session logged

The challenge

Accessing cluster services
is harder than it should be.

Traditional approach

Every developer needs a kubeconfig and direct cluster access — credential sprawl, key-person risk

VPNs add latency, complexity, and yet another set of credentials to manage

Exposing services via LoadBalancer or Ingress for internal access creates security risk

kubectl port-forward requires cluster-level permissions and breaks on connection loss

No audit trail of who accessed what service, when, and for how long

With mogenius Tunnel

Access services via browser or CLI — no kubeconfig, no cluster credentials needed

Secure WebSocket tunnel through mogenius platform — no VPN overhead

Services stay internal; only authorized users can create tunnels to them

Auto-reconnect, configurable session durations, keepalive built in

Every tunnel session logged: user, service, namespace, duration, timestamps

How it works

Secure path.
Zero cluster exposure.

One click to connect. Full audit trail automatic.

When you create a tunnel, mogenius establishes a secure WebSocket connection between your browser (or CLI) and the target service in your cluster. The connection is authenticated through your mogenius account and authorized based on your workspace and cluster permissions.

No kubeconfig distribution — authentication via mogenius identity
RBAC enforced at tunnel creation — Editor role or higher required
Traffic encrypted end-to-end through the mogenius platform
Configurable session durations: 30 min, 4 hours, 24 hours, or unlimited
Auto-close after inactivity — no forgotten open connections

Read the Docs →

YOU Browser or CLI (mocli)

↓ WebSocket ↓

MOGENIUS Platform → RBAC → Audit Log

↓ Secure Channel ↓

CLUSTER Operator → Service → Pod

Your machine never touches the cluster API directly. All access is mediated and logged.

Use cases

Everything you need to access
without exposing it

🗃

Database Access

Connect your local database client (pgAdmin, DBeaver, TablePlus) to PostgreSQL, MySQL, or Redis running in Kubernetes. No public endpoint. No credential sharing.

psql localhost:5432

🛠

Internal Tools

Access admin panels, monitoring dashboards, or management interfaces securely. Grafana, Prometheus, phpMyAdmin, custom admin UIs — all reachable without Ingress exposure.

Zero public exposure

🔍

Debugging & Development

Troubleshoot services that aren't exposed via Ingress. Test internal APIs from your local machine. Connect local dev tools to staging or production services safely.

curl localhost:8080

Two ways to connect

UI or CLI.
Your choice.

🌐

Browser UI

Create tunnels from the mogenius dashboard. Navigate to Tunnels or click the Tunnel button on any service in the Resource Browser. Get a unique URL to access your service directly.

One-click tunnel creation from Service list
Select session duration (30m to unlimited)
Copy tunnel URL or open in new tab
Manage all active tunnels in one place

⌨

CLI (mocli)

Use mocli port-forward to create tunnels from your terminal. Perfect for scripting, local development workflows, and connecting CLI-based database clients.

$ mocli port-forward --namespace production \

--service postgres --port 5432:5432

Forwarding production/postgres:5432 → localhost:5432

✓ Tunnel active. Press Ctrl+C to close.

Zero

Kubeconfigs to distribute or manage

100%

Tunnel sessions logged with user identity

Seconds

Time to connect — click and go

RBAC

Workspace permissions enforced on every tunnel

Security

Governed access.
Full audit trail.

Tunnels provide direct TCP access to services in your cluster. That's powerful — and mogenius ensures it's governed. Your existing workspace RBAC controls who can create tunnels. Every session is logged with user identity, target service, and timestamps.

No credential sharing. No VPN configs to leak. No "who left that port-forward running?" Sessions auto-close after the configured duration or 30 minutes of inactivity. Tunnel URLs are unique per session and can't be reused or shared.

🔒