Last article we talk about the two main traffic control in Kubernetes: Ingress and the NetworkPolicy. However for expose to external this point, I want to make a comparision here, and also give more Ingress examples.
Comparision
- Ingress: Designed to provide HTTP/HTTPS routing to services within the cluster. It allows you to define rules for mapping hostnames (e.g., hello.com) and paths (e.g., /app) to specific services, making it suitable for scenarios requiring domain-based routing or TLS termination.
- NodePort: Exposes a service on a specific port of each node in the cluster. It allows access using
NodeIP:NodePort
. While simpler, it DOESN’t support domain-based routing or advanced features like TLS termination or path-based routing.
Senario:
Let’s just consider a senario:
If an external client want to access a website which hold by a Pod in the cluster. How can they do it?
- access by website domain with path:
my-website.com/path
- access by the exteranl IP with path:
<Exteranl_IP>/path
- access by
NodeIP:NodePort
1. my-website.com/path
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: apache-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: mywebsite.com
http:
paths:
- path: /path1
pathType: Prefix
backend:
service:
name: <your svc name>
port:
number: 8080
- path: /path2
pathType: Prefix
backend:
service:
name: <your svc name>
port:
number: 8080
2. <Exteranl_IP>/path
In above yaml file, if we don’t setup the field host: mywebsite.com
, you can use the Exteranl_IP/path
to access the resources.
3. NodeIP:NodePort
As we list at the beginning, NodePort don’t support the advanced fatures like “path routing”. Therefore we can only access it by NodeIP:NodePort
. Otherwise, you need to set up external DNS.
apiVersion: v1
kind: Service
metadata:
name: <your svc name>
spec:
type: NodePort
selector:
app: <value>
ports:
- protocol: TCP
port: 80
targetPort: 80
nodePort: 30001 # Specify yourself or let Kubernetes assign one
Then set up an external DNS.
- Create a DNS record (apache-svc) that resolves to the NodeIP.
- Clients would access the service using apache-svc:30001.
By the way, external clients cannot directly use sth like: ServiceName:NodePort
to access the service.
The ServiceName
is a DNS name resolvable only within the cluster (via the Kubernetes DNS). It is not exposed to external clients unless explicitly configured with an external DNS service or load balancer.
NodePort is intended to be accessed using the NodeIP:NodePort
, which binds to the node’s network interface.
If you want external clients to use a name like apache-svc to access the service, you would need to configure an external DNS record that resolves apache-svc to the NodeIP, and clients would still need to append the NodePort.