copyright | lastupdated | keywords | subcollection | ||
---|---|---|---|---|---|
|
2021-03-22 |
kubernetes, iks, app access |
containers |
{:DomainName: data-hd-keyref="APPDomain"} {:DomainName: data-hd-keyref="DomainName"} {:android: data-hd-operatingsystem="android"} {:api: .ph data-hd-interface='api'} {:apikey: data-credential-placeholder='apikey'} {:app_key: data-hd-keyref="app_key"} {:app_name: data-hd-keyref="app_name"} {:app_secret: data-hd-keyref="app_secret"} {:app_url: data-hd-keyref="app_url"} {:authenticated-content: .authenticated-content} {:beta: .beta} {:c#: data-hd-programlang="c#"} {:cli: .ph data-hd-interface='cli'} {:codeblock: .codeblock} {:curl: .ph data-hd-programlang='curl'} {:deprecated: .deprecated} {:dotnet-standard: .ph data-hd-programlang='dotnet-standard'} {:download: .download} {:external: target="_blank" .external} {:faq: data-hd-content-type='faq'} {:fuzzybunny: .ph data-hd-programlang='fuzzybunny'} {:generic: data-hd-operatingsystem="generic"} {:generic: data-hd-programlang="generic"} {:gif: data-image-type='gif'} {:go: .ph data-hd-programlang='go'} {:help: data-hd-content-type='help'} {:hide-dashboard: .hide-dashboard} {:hide-in-docs: .hide-in-docs} {:important: .important} {:ios: data-hd-operatingsystem="ios"} {:java: .ph data-hd-programlang='java'} {:java: data-hd-programlang="java"} {:javascript: .ph data-hd-programlang='javascript'} {:javascript: data-hd-programlang="javascript"} {:new_window: target="_blank"} {:note .note} {:note: .note} {:objectc data-hd-programlang="objectc"} {:org_name: data-hd-keyref="org_name"} {:php: data-hd-programlang="php"} {:pre: .pre} {:preview: .preview} {:python: .ph data-hd-programlang='python'} {:python: data-hd-programlang="python"} {:route: data-hd-keyref="route"} {:row-headers: .row-headers} {:ruby: .ph data-hd-programlang='ruby'} {:ruby: data-hd-programlang="ruby"} {:runtime: architecture="runtime"} {:runtimeIcon: .runtimeIcon} {:runtimeIconList: .runtimeIconList} {:runtimeLink: .runtimeLink} {:runtimeTitle: .runtimeTitle} {:screen: .screen} {:script: data-hd-video='script'} {:service: architecture="service"} {:service_instance_name: data-hd-keyref="service_instance_name"} {:service_name: data-hd-keyref="service_name"} {:shortdesc: .shortdesc} {:space_name: data-hd-keyref="space_name"} {:step: data-tutorial-type='step'} {:subsection: outputclass="subsection"} {:support: data-reuse='support'} {:swift: .ph data-hd-programlang='swift'} {:swift: data-hd-programlang="swift"} {:table: .aria-labeledby="caption"} {:term: .term} {:tip: .tip} {:tooling-url: data-tooling-url-placeholder='tooling-url'} {:troubleshoot: data-hd-content-type='troubleshoot'} {:tsCauses: .tsCauses} {:tsResolve: .tsResolve} {:tsSymptoms: .tsSymptoms} {:tutorial: data-hd-content-type='tutorial'} {:ui: .ph data-hd-interface='ui'} {:unity: .ph data-hd-programlang='unity'} {:url: data-credential-placeholder='url'} {:user_ID: data-hd-keyref="user_ID"} {:vbnet: .ph data-hd-programlang='vb.net'} {:video: .video}
{: #nodeport}
Make your containerized app available to internet access by using the public IP address of any worker node in a Kubernetes cluster and exposing a NodePort. Use this option for testing in {{site.data.keyword.containerlong}} and for short-term public access.
{: shortdesc}
{: #nodeport_planning}
Expose a public port on your worker node and use the public IP address of the worker node to access your service in the cluster publicly from the internet. {: shortdesc}
When you expose your app by creating a Kubernetes service of type NodePort, a NodePort in the range of 30000 - 32767 and an internal cluster IP address is assigned to the service. The NodePort service serves as the external entry point for incoming requests for your app. The assigned NodePort is publicly exposed in the kubeproxy
settings of each worker node in the cluster. Every worker node starts listening on the assigned NodePort for incoming requests for the service. To access the service from the internet, you can use the public IP address of any worker node that was assigned during cluster creation and the NodePort in the format <IP_address>:<nodeport>
. If you want to access the service on the private network, use the private IP address of any worker node instead of the public IP address.
The following diagram shows how communication is directed from the internet to an app when a NodePort service is configured:
-
A request is sent to your app by using the public IP address of your worker node and the NodePort on the worker node.
-
The request is automatically forwarded to the NodePort service's internal cluster IP address and port. The internal cluster IP address is accessible inside the cluster only.
-
kube-proxy
routes the request to the Kubernetes NodePort service for the app. -
The request is forwarded to the private IP address of the pod where the app is deployed. If multiple app instances are deployed in the cluster, the NodePort service routes the requests between the app pods.
The public IP address of the worker node is not permanent. When a worker node is removed or re-created, a new public IP address is assigned to the worker node. You can use the NodePort service for testing the public access for your app or when public access is needed for a short amount of time only. When you require a stable public IP address and more availability for your service, expose your app by using a network load balancer (NLB) service or Ingress. {: note}
{: #nodeport_config}
You can expose your app as a Kubernetes NodePort service for free or standard clusters. {: shortdesc}
Because worker nodes in VPC clusters do not have a public IP address, you can access an app through a NodePort only if you are connected to your private VPC network, such as through a VPN connection or by using the Kubernetes web terminal. To access an app from the internet, you must use a VPC load balancer or Ingress service instead. {: note}
Gateway-enabled clusters that run Kubernetes version 1.17 only: If you have a gateway-enabled cluster and use a public node port to expose your app, public traffic on the node port is blocked by default in Kubernetes version 1.17. Instead, use a load balancer service or create a preDNAT Calico policy with an order number that is lower than 1800
and with a selector ibm.role == 'worker_public'
so that public traffic is explicitly allowed to the node port.
{: note}
If you do not already have an app ready, you can use a Kubernetes example app called Guestbook{: external}.
Before you begin:
- Log in to your account. If applicable, target the appropriate resource group. Set the context for your cluster.
- VPC clusters: Allow traffic requests that are routed to node ports on your worker nodes.
To use a NodePort:
-
In the configuration file for your app, define a service{: external} section.
For the Guestbook example, a front-end service section exists in the configuration file. To make the Guestbook app available externally, add the NodePort type and a NodePort in the range 30000 - 32767 to the front-end service section. {: tip}
Example:
apiVersion: v1 kind: Service metadata: name: <my-nodeport-service> labels: <my-label-key>: <my-label-value> spec: selector: <my-selector-key>: <my-selector-value> type: NodePort ports: - port: <8081> # nodePort: <31514>
{: codeblock}
Understanding the NodePort service components Component Description name
Replace <my-nodeport-service>
with a name for your NodePort service.Learn more about [securing your personal information](/docs/containers?topic=containers-security#pi) when you work with Kubernetes resources.
labels
Replace <my-label-key>
and<my-label-value>
with the label that you want to use for your service.selector
Replace <my-selector-key>
and<my-selector-value>
with the key/value pair that you used in thespec.template.metadata.labels
section of your deployment YAML. To associate the service with the deployment, the selector must match the deployment labels.port
Replace <8081>
with the port that your service listens on.nodePort
Optional: Replace <31514>
with a NodePort in the 30000 - 32767 range. Do not specify a NodePort that is already in use by another service. If no NodePort is assigned, a random one is assigned for you.
To specify a NodePort and see which NodePorts are already in use, run the following command:kubectl get svc
Any NodePorts in use appear under the **Ports** field.
-
Save the updated configuration file.
-
When the app is deployed, you can use the public IP address of any worker node and the NodePort to form the public URL to access the app in a browser. If your worker nodes are connected to a private VLAN only, then a private NodePort service was created and can be accessible through a worker node's private IP address.
-
Get the public IP address for a worker node in the cluster. If you want to access the worker node on a private network or have a VPC cluster, get the private IP address instead.
ibmcloud ks worker ls --cluster <cluster_name>
{: pre}
Output:
ID Public IP Private IP Size State Status prod-dal10-pa215dcf5bbc0844a990fa6b0fcdbff286-w1 192.0.2.23 10.100.10.10 u3c.2x4 normal Ready prod-dal10-pa215dcf5bbc0844a990fa6b0fcdbff286-w2 192.0.2.27 10.100.10.15 u3c.2x4 normal Ready
{: screen}
-
If a random NodePort was assigned, find out which one was assigned.
kubectl describe service <service_name>
{: pre}
Output:
Name: <service_name> Namespace: default Labels: run=<deployment_name> Selector: run=<deployment_name> Type: NodePort IP: 10.10.10.8 Port: <unset> 8080/TCP NodePort: <unset> 30872/TCP Endpoints: 172.30.171.87:8080 Session Affinity: None No events.
{: screen}
In this example, the NodePort is
30872
.If the Endpoints section displays
<none>
, check the<selectorkey>
and<selectorvalue>
that you use in thespec.selector
section of the NodePort service. Ensure that it is the same as the key/value pair that you used in thespec.template.metadata.labels
section of your deployment YAML. {: note} -
Form the URL with one of the worker node IP addresses and the NodePort. Example:
http://192.0.2.23:30872
. For VPC clusters, you must be connected to the private network through a VPN connection or by using the Kubernetes web terminal to access the worker node private IP address and NodePort. {: note}
-