14

I have following service configuration:

kind: Service
apiVersion: v1
metadata:
  name: web-srv
spec:
  type: NodePort
  selector:
    app: userapp
    tier: web
  ports:
    - protocol: TCP
      port: 8090
      targetPort: 80
      nodePort: 31000

and an nginx container is behind this service. Although I can access to the service via nodePort, service is not accessible via port field. I'm able to see the configs with kubectl and Kubernetes dashboard but curling to that port (e.g. curl http://192.168.0.100:8090) raises a Connection Refused error.

I'm not sure what is the problem here. Do I need to make sure any proxy services is running inside the Node or Container?

Chris Stryczynski
  • 30,145
  • 48
  • 175
  • 286
Afshin Mehrabani
  • 33,262
  • 29
  • 136
  • 201

2 Answers2

31

Get the IP of the kubernetes service and then hit 8090; it will work. nodePort implies that the service is bound to the node at port 31000.

These are the 3 things that will work:

curl <node-ip>:<node-port>        # curl <node-ip>:31000
curl <service-ip>:<service-port>  # curl <svc-ip>:8090
curl <pod-ip>:<target-port>       # curl <pod-ip>:80

So now, let's look at 3 situations:

1. You are inside the kubernetes cluster (you are a pod)

<service-ip> and <pod-ip> and <node-ip> will work.

2. You are on the node

<service-ip> and <pod-ip> and <node-ip> will work.

3. You are outside the node

Only <node-ip> will work assuming that <node-ip> is reachable.

iamnat
  • 4,056
  • 1
  • 23
  • 36
  • that makes complete sense to me. I will test this, +1 for the clear explanation. – Afshin Mehrabani May 05 '17 at 10:02
  • hmm, I see `` in the external IP column and something like `10.0.0.91` in the cluster IP for that service. What does this mean? (sorry if the question is too basic) – Afshin Mehrabani May 05 '17 at 10:13
  • 1
    All of these seemed to just hang for me. I used `kubectl describe service ` to get the ``. My service has `port` set to `80`, `targetPort` set to `8080`, and `nodePort` set to `31000`. None of those options worked. Is there something else we're supposed to do? – abrarisme Feb 18 '18 at 09:59
  • 1
    In case someone is looking for #3 and has the same issue that I did, adding `iptables -A FORWARD -j ACCEPT` on the nodes in question will also help. See the accepted answer [here](https://stackoverflow.com/questions/46667659/kubernetes-cannot-access-nodeport-from-other-machines) – Pete.Mertz Jul 12 '19 at 12:58
1

The behavior is as expected since I assume you are trying to access the service from outside the cluster. That means only the nodePort exposes the service to the world outside the cluster. The port refers to the port on the pod, as exposed by the container inside the pod. This is generally desired behavior as to support clusters of services that are represented by a loadbalancer typically. So the load balancer will expose the port you want for your service (e.g. load-balancer:80) and forward to the nodePort on all nodes as to distribute the load.

If you accessing the service from inside the cluster you should be able to reach it via service-name:service-port thanks to the built in DNS.

More detailed information can be found at the docs.

Oswin Noetzelmann
  • 9,166
  • 1
  • 33
  • 46