I was reading k8s docs at https://kubernetes.io/docs/concepts/services-networking/service/.
NodePort: Exposes the Service on each Node's IP at a static port (the NodePort). A ClusterIP Service, to which the NodePort Service routes, is automatically created. You'll be able to contact the NodePort Service, from outside the cluster, by requesting <NodeIP>:<NodePort>.
So, I tried checking it practically. In this LoadBalancer service, port 31724 is a NodePort and 80 is the container port. According to docs, the NodePort should be open to the outer world and the container port should not. But with nmap, I found the reverse being true.
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
gen LoadBalancer 10.200.32.132 10.44.9.162,10.44.9.163 80:31724/TCP,443:30039 20d
$ nmap -p 80 10.44.9.162
Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-08 12:33 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.44.9.162
Host is up (0.00061s latency).
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds
$ nmap -p 31724 10.44.9.162
Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-08 12:33 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.44.9.162
Host is up (0.00044s latency).
PORT STATE SERVICE
31724/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
I am surely missing something. Please help me understand this. Thanks!
Follow-up:
I know follow-up should be a different question but it seemed like the correct place.
I created a NodePort service and retried the same. And it was as told in the description.
object-controller-np NodePort 10.200.32.240 <none> 7203:31206/TCP 5s
NodeIP
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.46.104.20 ...
$ nmap -p 7203 10.46.104.20
Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-09 07:01 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.46.104.20
Host is up (0.00052s latency).
PORT STATE SERVICE
7203/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
$ nmap -p 31206 10.46.104.20
Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-09 07:01 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.46.104.20
Host is up (0.00050s latency).
PORT STATE SERVICE
31206/tcp open unknown
Earlier I tried with LoadBalancer, as I thought it is kind of a superset of NodePort.
Question: So why the exact opposite behaviour with NodePort in NodePort-type service and LoadBalancer-type service.
From a popular answer:
NodePort
If you access this service on a nodePort from the node's external IP, it will route the request tospec.clusterIp:spec.ports[*].port
, which will in turn route it to yourspec.ports[*].targetPort
, if set. This service can also be accessed in the same way as ClusterIP. ...
LoadBalancer
You can access this service from your load balancer's IP address, which routes your request to a nodePort, which in turn routes the request to the clusterIP port.
So, for a NodePort, the request goes like:
NodeIP:NodePort -> ClusterIP:Port -> ClusterIP:TargetPort
Above Port
is the port specified as port
in yaml that exposes the Kubernetes service on the specified port within the cluster. And TargetPort is the port specified by targetPort
in yaml on which the service will send requests to, that your pod will be listening on.
For a LoadBalancer, the behaviour I expected was:
ExternalLBIP:NodePort --(load-balanced across nodes)--> NodeIP:NodePort -> ClusterIP:Port -> ClusterIP:TargetPort
What I see is:
ExternalLBIP:NodePort -> (doesn't work)
And instead, what works is:
ExternalLBIP:Port --(load-balanced across nodes)--> NodeIP:Port -> ClusterIP:Port -> ClusterIP:TargetPort
NodePort
andLoadBalancer
are two differentService
types. – Malt