Kubernetes Network (5)

Ingress and NodePort

Last article we talk about the two main traffic control in Kubernetes: Ingress and the NetworkPolicy. However for expose to external this point, I want to make a comparision here, and also give more Ingress examples.

Comparision

  • Ingress: Designed to provide HTTP/HTTPS routing to services within the cluster. It allows you to define rules for mapping hostnames (e.g., hello.com) and paths (e.g., /app) to specific services, making it suitable for scenarios requiring domain-based routing or TLS termination.

  • NodePort: Exposes a service on a specific port of each node in the cluster. It allows access using NodeIP:NodePort. While simpler, it DOESN't support domain-based routing or advanced features like TLS termination or path-based routing.

Senario:

Let's just consider a senario: If an external client want to access a website which hold by a Pod in the cluster. How can they do it?

  1. access by website domain with path: my-website.com/path

  2. access by the exteranl IP with path: <Exteranl_IP>/path

  3. access by NodeIP:NodePort

1. my-website.com/path

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: apache-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - host: mywebsite.com
    http:
      paths:
      - path: /path1
        pathType: Prefix
        backend:
          service:
            name: <your svc name>
            port:
              number: 8080
      - path: /path2
        pathType: Prefix
        backend:
          service:
            name: <your svc name>
            port:
              number: 8080

2. <Exteranl_IP>/path

In above yaml file, if we don't setup the field host: mywebsite.com, you can use the Exteranl_IP/path to access the resources.

3. NodeIP:NodePort

As we list at the beginning, NodePort don't support the advanced fatures like "path routing". Therefore we can only access it by NodeIP:NodePort. Otherwise, you need to set up external DNS.

apiVersion: v1
kind: Service
metadata:
  name: <your svc name>
spec:
  type: NodePort
  selector:
    app: <value>
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
    nodePort: 30001 # Specify yourself or let Kubernetes assign one

Then set up an external DNS.

  • Create a DNS record (apache-svc) that resolves to the NodeIP.

  • Clients would access the service using apache-svc:30001.

By the way, external clients cannot directly use sth like: ServiceName:NodePort to access the service. The ServiceName is a DNS name resolvable only within the cluster (via the Kubernetes DNS). It is not exposed to external clients unless explicitly configured with an external DNS service or load balancer.

NodePort is intended to be accessed using the NodeIP:NodePort, which binds to the node's network interface. If you want external clients to use a name like apache-svc to access the service, you would need to configure an external DNS record that resolves apache-svc to the NodeIP, and clients would still need to append the NodePort.