Skip to main content

Local Testing


Local testing requires version v0.5+ of the Signadot CLI and v0.13+ of the Signadot Operator.


This guide explains how you can set up a local test environment for your microservices running in Kubernetes using Sandboxes. First, we'll be sending requests seamlessly from the local workstation into the cluster, and then we'll start receiving traffic from the cluster back to the workstation.

How Local Testing Works with Signadot

See the configuration for details on how to set up the CLI for local testing. Once the CLI has been configured, we can set up outbound connectivity from the workstation to the cluster.

Setting up outbound connectivity from workstation to cluster

% signadot local connect
signadot local connect needs root privileges for:
- updating /etc/hosts with cluster service names
- configuring networking to direct local traffic to the cluster

signadot local connect has been started ✓
* runtime config: cluster demo, running with root-daemon
✓ Local connection healthy!
* operator version 0.16.0
* port-forward listening at ":59933"
* localnet has been configured
* 45 hosts accessible via /etc/hosts
* sandboxes watcher is running
* Connected Sandboxes:
- No active sandbox

Once you have connected, you can check that services running within the cluster are accessible to you using their Kubernetes DNS names. For example, to access a Kubernetes ClusterIP service called my-service in namespace my-namespace, you will address it as, or or You can check /etc/hosts for a full list of accessible services.

To verify that you have outbound connectivity you can use curl, wget, or a web browser to access one of the services directly from your workstation. Note that this should work seamlessly without requiring additional port-forwarding if the connection was set up correctly.

Setting up a sandbox to test a microservice running locally

In a microservices stack, we'll now try and set up a test workload on our local workstation such that it can participate in a sandbox.

In this above situation, let us say we're trying to develop and modify the microservice svcB. We can run svcB locally on some port, say 8080. We can now set up a sandbox spec such that our local svcB can participate in traffic coming from the cluster. Note that this still uses routing key-based isolation and the traffic is completely isolated from baseline and other sandboxes that may be running in other developer workstations.

name: "@{user}-svcB-sandbox"
cluster: "@{cluster}"
description: "svcB local sandbox"
feature: my-local-feature
- name: "local-svcB"
kind: Deployment
namespace: some-namespace
name: deploy-b
- port: 8080
toLocal: "localhost:8080"
# ... optional preview URLs we want to set up

Note how in the above sandbox spec, we'll be capturing traffic from a Deployment named deploy-b running inside the cluster in namespace some-namespace on port 8080 and mapping it to localhost:8080. Now, we're ready to start using our sandbox for testing our code changes.

% signadot sandbox apply -f ./local-sb.yaml --set cluster=demo --set user=alice
Created sandbox "alice-svcB-sandbox" (routing key: y9grlsjyrquqd) in cluster "demo".

Waiting (up to --wait-timeout=3m0s) for sandbox to be ready...
✓ Sandbox status: Ready: All desired workloads are available.

Dashboard page:

The sandbox "alice-svcB-sandbox" was applied and is ready.

Now that our sandbox is ready, we can check that the sandbox is connected with this workstation by running signadot local status again.

% signadot local status

* runtime config: cluster demo, running with root-daemon
✓ Local connection healthy!
* operator version 0.16.0
* port-forward listening at ":59933"
* localnet has been configured
* 45 hosts accessible via /etc/hosts
* sandboxes watcher is running
* Connected Sandboxes:
- alice-svcB-route
* Routing Key: y9grlsjyrquqd
- local-route: routing from Deployment/deploy-b in namespace "some-namespace"
- remote port 8080 -> localhost:8080
✓ connection ready

We can now send requests to our application from any service, including the ingress, along with the routing key of the sandbox (y9grlsjyrquqd) as a request header to get requests to be served by our local workstation rather than the baseline version of svcB that is running within the cluster.

Note that you will be able to disconnect and when connecting back, your local sandboxes will automatically be restored. If you are running Signadot CLI < v0.6.0 and/or Operator < v0.14.1, local sandboxes are orphaned after disconnect and will need a re-apply to connect back.

Using Preview Endpoints

If you add an endpoints section to your sandbox specification, you can use the generated preview URL to send requests with the routing key context. The endpoint URL that is returned above is authenticated and points to the local version of svcB and can be used to run tests against it using an API key that you can retrieve from the Signadot Dashboard at

curl -H "signadot-api-key: ${SIGNADOT_API_KEY}" \


Note that the above guide only covers setting up local network connectivity. If you are looking to make use of Persistent Volumes, ConfigMaps, or other Kubernetes constructs, please use Sandbox Forks to set the microservice under test within Kubernetes instead.

Next Steps

This guide described a basic sandbox with a local workload that can be set up to write and test a single service in a microservices stack during development. Building on these fundamental constructs, you can run multiple local workloads, or use a RouteGroup to send requests to multiple sandboxes which may contain other local or in-cluster workloads.