This page shows how to connect to services running on the kubernetes cluster.
before we start
You must have a kubernetes cluster and the kubectl command line tool must be configured to communicate with your cluster. It is recommended that you run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. if you don’t already have a cluster you can create one using minikube or you can use one of these kubernetes playgrounds:
Reading: How to connect to kubernetes pod
- play with kubernetes
access services running on the cluster
in kubernetes, nodes, pods and services all have their own ip’s. In many cases, node ips, pod ips, and some service ips in a cluster will not be routable, so they will not be accessible from a machine outside the cluster, such as your desktop machine.
ways to connect
You have several options to connect to nodes, pods and services from outside the cluster:
- access services via public ip addresses.
- use a service with type nodeport or loadbalancer to make the service accessible outside the cluster. see the kubectl services and expose documentation.
- Depending on your cluster environment, this may expose the service only to your corporate network, or it may expose it to the internet. think if the exposed service is safe. does it do its own authentication?
- place pods behind services. to access a specific pod from a replica set, such as for debugging, put a unique tag on the pod and create a new service that selects this tag.
- in most cases, you shouldn’t be necessary for application developer to directly access nodes through their nodeips.
- authenticates and authorizes a server before accessing the remote service. use this if the services are not secure enough to expose to the internet, or to access ports on the node ip, or for debugging.
- proxies can cause problems for some web applications.
- only works for http/https.
- described here.
- run a pod and then connect to a shell on it using kubectl exec. connect to other nodes, pods, and services from that shell.
- some clusters may allow you to connect to one node in the cluster. from there you may be able to access cluster services. this is a non-standard method and will work on some clusters but not others. browsers and other tools may or may not be installed. cluster dns may not work.
discover integrated services
Typically, there are several services that the kube-system starts in a cluster. get a list of these with the kubectl cluster-info command:
the output is similar to this:
this shows the url of the proxy verb to access each service. for example, this cluster has cluster-level logging enabled (using elasticsearch), which can be accessed at https://192.0.2.1/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/ if the credentials are suitable they are passed, or through a kubectl proxy at, for example: http://localhost:8080/api/v1/namespaces/kube-system/services/elasticsearch-logging/proxy/.
manual construction of apserver server urls
As mentioned above, use the kubectl cluster-info command to retrieve the service’s proxy url. To create proxy urls that include service endpoints, suffixes, and parameters, add to the service proxy url: http://kubernetes_master_address/api/v1/namespaces/namespace_name/services/[https:]service_name[:port_name ]/proxy
If you haven’t specified a name for your port, you don’t have to specify port_name in the url. you can also use port number instead of port_name for named and unnamed ports.
by default, the api server acts as a proxy for your service via http. to use https, prefix the service name with https:: http://<kubernetes_master_address>/api/v1/namespaces/<namespace_name>/services/<service_name>/proxy
the formats supported by <service_name> segment of the url are:
- <service_name> – proxy to default or unnamed port using http
- <service_name>:<port_name> – proxy to the specified port name or port number using http
- https:<service_name>: – proxy to the default or unnamed port using https (note the trailing colons)
- https :<service_name>:<port_name> – proxy to the specified port name or port number using https
To access the _search?q=user:kimchy elastic search service endpoint, you would use:
to access elasticsearch cluster health information _cluster/health?pretty=true you would use:
health information looks like this:
To access health information from the https elasticsearch _cluster/health?pretty=true service, you would use:
use web browsers to access services running on the cluster
You may be able to put an ap server proxy url in a browser’s address bar. however:
- web browsers generally cannot pass tokens, so you may need to use basic (password) authentication. apiserver can be configured to accept basic authentication, but your cluster may not be configured to accept basic authentication.