From 659fb3f3399a5ecc2b0f15657058657c0c870d37 Mon Sep 17 00:00:00 2001
From: docker-claude <user@docker-claude.local>
Date: Wed, 15 Apr 2026 08:49:11 +0200
Subject: [PATCH] feat(proxy): allow CONNECT tunnels to Kubernetes API server
 port 6443

---
 proxy/squid.conf | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/proxy/squid.conf b/proxy/squid.conf
index cac6ff8..55fba0d 100644
--- a/proxy/squid.conf
+++ b/proxy/squid.conf
@@ -18,10 +18,15 @@ coredump_dir /var/cache/squid
 
 # ─── ACL Definitions ──────────────────────────────────────────────────────────
 acl SSL_ports  port 443
+acl SSL_ports  port 6443  # Kubernetes API server
 acl Safe_ports port 80
 acl Safe_ports port 443
+acl Safe_ports port 6443  # Kubernetes API server
 acl CONNECT    method CONNECT
 
+# Kubernetes API server — allow CONNECT tunnels to any cluster endpoint on :6443
+acl kubectl_api port 6443
+
 # ─── Egress allowlist ─────────────────────────────────────────────────────────
 # Add domains here as needed. Leading dot matches all subdomains.
 acl allowed_sites dstdomain api.anthropic.com
@@ -43,6 +48,9 @@ http_access deny CONNECT !SSL_ports
 # Allow HTTPS tunnels only to allowlisted destinations
 http_access allow CONNECT allowed_sites
 
+# Allow kubectl to reach any Kubernetes API server on the standard port
+http_access allow CONNECT kubectl_api
+
 # Allow plain HTTP only to allowlisted destinations
 http_access allow allowed_sites