Expose service on local kubernetes - kubernetes

I'm running a local kubernetes bundled with docker on Mac OS.
How can I expose a service, so that I can access the service via a browser on my Mac?
I've created:
a) deployment including apache httpd.
b) service via yaml:
apiVersion: v1
kind: Service
metadata:
name: apaches
spec:
selector:
app: web
type: NodePort
ports:
- protocol: TCP
port: 80
externalIPs:
- 192.168.1.10 # Network IP of my Mac
My service looks like:
$ kubectl get service apaches
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
apaches NodePort 10.102.106.158 192.168.1.10 80:31137/TCP 14m
I can locally access the service in my kubernetes cluster by wget $CLUSTER-IP
I tried to call http://192.168.1.10/ on my Mac, but it doesn't work.
This question deals to a similar issue. But the solution does not help, because I do not know which IP I can use.
Update
Thanks to Michael Hausenblas I worked out a solution using Ingress.
Nevertheless there are still some open questions:
What is the meaning of a service's externalIP? Why do I need an externalIP when I do not directly access a service from external?
What is the meaning of the service port 31137?
The kubernetes docs describe a method to [publish a service in minikube via NodePort][4]. Is this also possible with kubernetes bundled on docker?

There are several solutions to expose services in kubernetes:
http://alesnosek.com/blog/2017/02/14/accessing-kubernetes-pods-from-outside-of-the-cluster/
Here are my solutions according to alesnosek for a local kubernetes bundled with docker:
1. hostNetwork
hostNetwork: true
Dirty (the host network should not be shared for security reasons) => I did not check this solution.
2. hostPort
hostPort: 8086
Does not apply to services => I did not check this solution.
3. NodePort
Expose the service by defining a nodePort:
apiVersion: v1
kind: Service
metadata:
name: apaches
spec:
type: NodePort
ports:
- port: 80
nodePort: 30000
selector:
app: apache
4. LoadBalancer
EDIT
#MathObsessed posted the solution in his anwer.
5. Ingress
a. Install Ingress Controller
git clone https://github.com/jnewland/local-dev-with-docker-for-mac-kubernetes.git
kubectl apply -f nginx-ingress/namespaces/nginx-ingress.yaml -Rf nginx-ingress
b. Configure Ingress
kubectl apply -f apache-ing.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: apache-ingress
spec:
rules:
- host: localhost
http:
paths:
- path: /
backend:
serviceName: apaches
servicePort: 80
Now I can access my apache deployed with kubernetes by calling http://localhost/
Remarks for using local-dev-with-docker-for-mac-kubernetes
The repo simplifies the deployment of the offical ingress-nginx controller
For production use I would follow the official guide.
The repos ships with a tiny full featured ingress example. Very useful for getting quickly a working example application.
Further documentation
https://kubernetes.io/docs/concepts/services-networking/ingress

For those still looking for an answer. I've managed to achieve this by adding another Kube service just to expose my app to localhost calls (via browser or Postman):
kind: Service
apiVersion: v1
metadata:
name: apaches-published
spec:
ports:
- name: http
port: 8080
targetPort: 80
protocol: TCP
selector:
app: web
type: LoadBalancer
Try it now on: http://localhost:8080

Really simple example
METHOD1
$ kubectl create deployment nginx-dep --image=nginx --replicas=2
Get the pods
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-dep-5c5477cb4-76t9q 1/1 Running 0 7h5m
nginx-dep-5c5477cb4-9g84j 1/1 Running 0 7h5m
Access the pod using kubectl port
$ kubectl port-forward nginx-dep-5c5477cb4-9g84j 8888:80
Forwarding from 127.0.0.1:8888 -> 80
Forwarding from [::1]:8888 -> 80
Now do a curl to the localhost:8888
$ curl -v http://localhost:8888
METHOD2
You can expose port 80 of the deployment (where the application is runnin i.e. nginx port)
via a NodePort
$ kubectl expose deployment nginx-dep --name=nginx-dep-svc --type=NodePort --port=80
Get the service
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 31d
nginx-dep-svc NodePort 10.110.80.21 <none> 80:31239/TCP 21m
Access the deployment using hte NodePort
$ curl http://localhost:31239

As already mentioned in Matthias Ms answer there are several ways.
As the offical Kubernetes documentation specifically describes using a Service with a type NodePort I wanted to describe the workflow.
NodePort: Exposes the Service on each Node’s IP at a static port (the NodePort). A ClusterIP Service, to which the NodePort Service routes, is automatically created. You’ll be able to contact the NodePort Service, from outside the cluster, by requesting <NodeIP>:<NodePort>.
If you set the type field to NodePort, the Kubernetes control plane allocates a port from a range specified by --service-node-port-range flag (default: 30000-32767). Each node proxies that port (the same port number on every Node) into your Service. Your Service reports the allocated port in its .spec.ports[*].nodePort field.
Setup a Service with a type of NodePort
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
app: MyApp
ports:
- protocol: TCP
port: 80
targetPort: 9376
clusterIP: 10.0.171.239
type: NodePort
Then you can check on which port the Service is exposed to via
kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
my-service NodePort 10.103.218.215 <none> 9376:31040/TCP 52s
and access it via localhost using the exposed port. E.g.
curl http://localhost:31040

Related

kubernetes ingress network policy blocking services

I created a kubernetes pod efgh in namespace ns1
kubectl run efgh --image=nginx -n ns1
I created another pod in default namespace
kubectl run apple --image=nginx
I created a service efgh in namespace ns1
kubectl expose pod efgh --port=80 -n ns1
Now I created a network policy to block incoming connections to the pod
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: ns1
spec:
podSelector:
matchLabels:
run: efgh
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
project: ns1
- from:
- namespaceSelector:
matchLabels:
project: default
podSelector:
matchLabels:
run: apple
ports:
- protocol: TCP
port: 80
Checking the pods in ns1 gives me
NAME READY STATUS RESTARTS AGE IP
efgh 1/1 Running 0 3h4m 10.44.0.4
Checking the services in ns1 gives me
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
efgh ClusterIP 10.109.170.238 <none> 80/TCP 164m
Once I open terminal in apple pod and run below it works
curl http://10-44-0-4.ns1.pod
curl http://10.44.0.4
but when I try curl by trying to access the pod through the service it fails.
curl http://10.109.170.238
If i delete the network policy the above curl works
I think this is an issue with my local kubernetes cluster. I tried elsewhere it works
When I did port forward
root#kubemaster:/home/vagrant# kubectl port-forward service/efgh 8080:80 -n ns1
Forwarding from 127.0.0.1:8080 -> 80
Forwarding from [::1]:8080 -> 80
See below, more details here ServiceTypes
Publishing Services (ServiceTypes)
For some parts of your application (for example, frontends) you may want to expose a Service onto an external IP address, that's outside of your cluster.
Kubernetes ServiceTypes allow you to specify what kind of Service you want. The default is ClusterIP.
Type values and their behaviors are:
ClusterIP: Exposes the Service on a cluster-internal IP. Choosing this value makes the Service only reachable from within the cluster. This is the default ServiceType.
NodePort: Exposes the Service on each Node's IP at a static port (the NodePort). A ClusterIP Service, to which the NodePort Service routes, is automatically created. You'll be able to contact the NodePort Service, from outside the cluster, by requesting <NodeIP>:<NodePort>.
LoadBalancer: Exposes the Service externally using a cloud provider's load balancer. NodePort and ClusterIP Services, to which the external load balancer routes, are automatically created.
ExternalName: Maps the Service to the contents of the externalName field (e.g. foo.bar.example.com), by returning a CNAME record with its value. No proxying of any kind is set up.

How should I use externalIPs on service with EKS?

I was trying to apply service externalIPs feature on EKS cluster.
What I do
I've created EKS cluster with eksctl:
eksctl create cluster --name=test --region=eu-north-1 --nodes=1
I've opened all security groups to make sure I don't have issue with firewall. ACL also allow all traffic.
I took public IP for the only available worker node and try to use it with simple service + deployment.
This should be only 1 deployment with 1 replicaset and 1 pod with nginx. This should be attached to a service with external/public IP everyone can reach.
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
- name: nginx
image: nginx
---
apiVersion: v1
kind: Service
metadata:
name: app
labels:
app: app
spec:
ports:
- port: 80
targetPort: 80
selector:
app: app
externalIPs:
- 13.51.55.82
When I apply it then everything seems to work just fine. I can port-forward my app service to localhost and I can see the output (kubectl port-forward svc/app 9999:80 -> curl localhost:9999).
But the problem is I cannot reach this service via public IP.
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
app ClusterIP 10.100.140.38 13.51.55.82 80/TCP 49m
kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 62m
$ curl 13.51.55.82:80
curl: (7) Failed to connect to 13.51.55.82 port 80: Connection refused
Thoughts
For me it looks like the service is not connected to node itself. When I ssh to the node and setup simple web server on port 80 it respond immediately.
I know I can use NodePort but in my case I want finally use fixed port 4000 and NodePort allow me only to use ports in range 30000-32768.
Question
I want to be able to curl my service via public IP on certain port below 30000 (NodePort doesn't apply).
How can I make it work with Kubernetes Service externalIPs on EKS cluster?
Edit I:
FYI: I do not want to use LoadBalancer.

Can't to talk with other pods using Kubernetes Service

How I understand that I could be able to talk with other pods from a specific pod by sending from within the pod an HTTP request with the fully qualified domain name of the service (FQDN).
The system runs locally with minikube.
The service's YML -
apiVersion: v1
kind: Service
metadata:
name: kubia
spec:
sessionAffinity: ClientIP
ports:
- port: 80
targetPort: 8080
selector:
app: kubia
The describe of the service -
Name: kubia
Namespace: default
Labels: <none>
Annotations: <none>
Selector: app=kubia
Type: ClusterIP
IP: 10.111.178.111
Port: <unset> 80/TCP
TargetPort: 8080/TCP
Endpoints: 172.17.0.7:8080,172.17.0.8:8080,172.17.0.9:8080
Session Affinity: ClientIP
Events: <none>
I'm trying to do that with -
kubectl exec -it kubia-gqd5l bash
where kubia-gqd5l is the pod.
In the bash I tried to sent a request by -
curl http://kubia
Where kubia is the name of the service.
and I got error -
curl: (6) Could not resolve host: kubia.
It is important to note that I manage to communicate with the service by -
kubectl exec kubia-gqd5l -- curl -s http://10.111.178.111
any idea?
Kubernetes clusters usually have DNS deployed. That allows pod to pod communications within the cluster (among other things) by using the name of the corresponding Kubernetes services. See https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
Does your Kubernetes cluster/minikube have DNS running?
Something else to check is the selector in the Service definition - make sure the pod/deployment has the app: kubia label as specified in the selector.
Otherwise, and per the doc at the link above, because the lookup of the service is from a pod in the same namespace, it shouldn't be needed to use the namespace along with the service name: (quote) "...Assume a Service named foo in the Kubernetes namespace bar. A Pod running in namespace bar can look up this service by simply doing a DNS query for foo. A Pod running in namespace quux can look up this service by doing a DNS query for foo.bar".
Have a look at this answer 2 Kubernetes pod communicating without knowing the exposed address, to target a service it's better to add the namespace with the service.

Expose cluster in k8s on localhost

Because docker supports out of the box kubernetes (on my Mac) I thought I try it out and see if I can load balance a simple webservice. For that, I created a simple image, which exposes port 3000 and only returns Hello World. And I created a k8s config yaml
apiVersion: v1
kind: Service
metadata:
name: hello-kubernetes
spec:
type: NodePort
externalIPs:
- 192.168.2.85
ports:
- port: 8080
targetPort: 3000
selector:
app: hello-kubernetes
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-kubernetes
spec:
replicas: 3
selector:
matchLabels:
app: hello-kubernetes
template:
metadata:
labels:
app: hello-kubernetes
spec:
containers:
- name: hello-kubernetes
image: hello/world:latest
ports:
- containerPort: 3000
Apply it
$> kubectl apply -f ./example.yaml
I see 3 pods running, and a service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
hello-kubernetes NodePort 10.99.38.46 192.168.2.85 8080:30244/TCP 42m
I've used NodePort above, but I'm not sure if I can use Loadbalancer here as well.
Anyway, in the browser I get the message This site can’t be reached when I goto http://192.168.2.85:8080 or `http://192.168.2.85:30244 (I never know which port to use)
So, I think I'm close, but I still missed something :( Any help would be appreciated!
the port number is wrong.
use http://NODEIP:NODEPORT
in your case, try
http://NODEIP:30244
k explain service.spec.externalIPs
KIND: Service VERSION: v1
FIELD: externalIPs <[]string>
DESCRIPTION:
externalIPs is a list of IP addresses for which nodes in the cluster will
also accept traffic for this service. These IPs are not managed by
Kubernetes. The user is responsible for ensuring that traffic arrives at a
node with this IP. A common example is external load-balancers that are not
part of the Kubernetes system.
Problem here is we don't know your network settings. IS this minikube for mac? Is the 192.168.2.x network reachable for you? In my case using minikube all I had to do was to edit the externalIP to be reachable from my network. So what I did to get this working was:
minikube IP in my case 192.168.99.100 (IP address of minikubeVM)
changed externalIP to 192.168.99.100
k get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
hello-kubernetes NodePort 10.105.212.118 192.168.99.100 8080:32298/TCP 46m
And I was able to reach the application using 192.168.99.100:8080.
Also note that in your case you have 8081 port (But I guess P Ekambaram already mentioned this).

How to expose a Kubernetes service on a specific Nodeport?

I have create a pod with the below yaml definition.
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
containers:
- name: myapp-container
image: praveensripati/docker-demo:1.2
ports:
- containerPort: 3000
And now I expose the pod, which creates a service.
kubectl expose pod myapp-pod --type=NodePort
The port 3000 on the container is exposed to port 31728 on the nodes. And I am able to do access the page using curl on port 31728.
kubectl get service myapp-pod
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
myapp-pod NodePort 10.107.254.254 <none> 3000:31728/TCP 5s
This time I wanted to expose the service not a random port, but on port 80. And so I specify the port number as 80, by using --port. The service details are a bit odd. It says that port 80 on the container is exposed to port 31316 on the nodes. Also, I am able to access the page using curl on the random port (31316 in this case) and not port 80.
kubectl expose pod myapp-pod --type=NodePort --target-port=3000 --port=80
kubectl get service myapp-pod
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
myapp-pod NodePort 10.105.123.73 <none> 80:31316/TCP 12s
I am not able to expose a service on a specific port and not on a random port. I tried a few combinations and read the k8s documentation, but no success.
How do I expose a service on a specific port instead of a random port?
Your question is about exposing the NodePort type of service on a specific port. For that you need to specify the nodePort field under ports in your service definition.
kind: Service
apiVersion: v1
metadata:
name: my-service
spec:
selector:
app: myapp
ports:
- protocol: TCP
port: 3000
nodePort: 32321
type: NodePort
Note that it has to be within a given range provided in the configs. Which defaults to 30000-32767. This range can be specified in the kube-apiserver configs using the --service-node-port-range option.
When an existing Dashboard service already exists, remove it.
kubectl delete service kubernetes-dashboard -n kube-system
Expose the Dashboard deployment as a NodePort.
kubectl expose deployment kubernetes-dashboard -n kube-system --type=NodePort
The above will assign a random port >= 30000. So use the Patch command to assign the port to a known, unused and desired port >= 30000.
kubectl patch service kubernetes-dashboard --namespace=kube-system --type='json' --patch='[{"op": "replace", "path": "/spec/ports/0/nodePort", "value":30000}]'
Caution: Never expose your dashboard publicly without authentication.
If your cluster does not have a LoadBalancer Provider, you can specify externalIPs in IP of nodes' network interface.
For example:
apiVersion: v1
kind: Service
metadata:
name: nginx
spec:
type: ClusterIP
externalIPs:
- 125.100.99.101 # Node1-IP
- 125.100.99.102 # Node2-IP
- 192.168.55.112 # Node2-IP2
selector:
pod: nginx
ports:
- name: http
port: 80
- name: https
port: 443
This will listen 80 and 443 on the specified node, and forward to the nginx service.
I had the same problem and the only way I found to do it without modifying the files was:
k expose --type=NodePort deployment nginx --port 80 --name nginx-ep-patch --overrides '{ "apiVersion": "v1","spec":{"ports": [{"port":80,"protocol":"TCP","targetPort":80,"nodePort":30080}]}}'
service/nginx-ep-patch exposed
In this way we path online the configuration and the port 30080 has been exposed:
$ k describe svc nginx-ep-patch
Name: nginx-ep-patch
Namespace: default
Labels: app=nginx
Annotations: <none>
Selector: app=nginx
Type: NodePort
IP: 10.96.51.148
Port: <unset> 80/TCP
TargetPort: 80/TCP
NodePort: <unset> 30080/TCP
Endpoints: 10.244.0.6:80
Session Affinity: None
External Traffic Policy: Cluster
Events: <none>
I will try to answer your query here.
Also, I am able to access the page using curl on the random port
(31316 in this case) and not port 80.
-- Because, kubernetes exposed the port 31316 on the host (maps to the service) and hence it can be accessed on host:31316.
-- Service port is visible only within the kubernetes cluster. You can exec into a pod container and do a curl on servicename:service port instead of the NodePort.
Note the terms - container port: the port container listens on. Service port: the port where kubernetes service is exposed on cluster internal ip and mapped to the container port. Nodeport: the port exposed on the host and mapped to kubernetes service.
we can expose Kubernetes service on specific node port.
Port value must be between 30000-32767.
We can expose service to specific port of below service types:
NodePort
LoadBalancer
Find the sample myservice.yaml file below:
apiVersion: v1
kind: Service
metadata:
name: app1
spec:
type: NodePort/LoadBalancer
ports:
- name: "80"
port: 80
nodePort: 32062
targetPort: 80
selector:
appone: app1
app: test
Note: In above service yaml file we can specify service type either NodePort or Loadbalancer.
For those who need to use kubectl commands, you can create a NodePort service with a specified port using create nodeport command:
kubectl create nodeport NAME [--tcp=port:targetPort] [--dry-run=server|client|none]
For example:
kubectl create service nodeport myservice --node-port=31000 --tcp=3000:80
You can check Kubectl reference for more:
https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#-em-service-nodeport-em-