curling service inside kubernetes cluster blocked by corporate proxy

Question

I have a Kubernetes Cluster running behind a corporate proxy. I am not using Minikube. I have http_proxy, https_proxy and no_proxy set in //etc/environment. no_proxy has 127.0.0.0 and every node-ip defined.

If i try to curl a service with ClusterIP from my master node i get caught in the corporate proxy. What do i need to do, so i can access the service? Changing the Service to NodePort and accessing it from outside of the cluster works.

I hope someone can explain me what i am missing. Thanks in advance.

Yaml Files of Deployment and Service

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    run: app
  name: app-blue
spec:
  replicas: 1
  selector:
    matchLabels:
      run: app
      version: 0.0.1
  template:
    metadata:
      labels:
        run: app
        version: 0.0.1
    spec:
      containers:
      - name: app
        image: errm/versions:0.0.1
        ports:
        - containerPort: 3000
----



apiVersion: v1
kind: Service
metadata:
  name: app-service
spec:
  selector:
    run: app
    version: 0.0.1
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 3000

Kubectl Describe Service

Name:              app-service
Namespace:         default
Labels:            <none>
Annotations:       <none>
Selector:          run=app,version=0.0.1
Type:              ClusterIP
IP Families:       <none>
IP:                10.107.64.107
IPs:               10.107.64.107
Port:              http  80/TCP
TargetPort:        3000/TCP
Endpoints:         10.244.2.4:3000
Session Affinity:  None
Events:            <none>

Curl from Master Node

curl 10.107.64.107:80
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="de" lang="de" xml:lang="de" xmlns="http://www.w3.org/1999/xhtml">

<!--Head-->
<head>
  <meta content="IE=11.0000" http-equiv="X-UA-Compatible">
  <meta http-equiv="content-type" content="text/html; charset=utf-8">
  <title>McAfee Web Gateway - Notification</title>
  <script src="/mwg-internal/de5fs23hu73ds/files/javascript/sw.js" type="text/javascript" ></script>
  <link rel="stylesheet" href="/mwg-internal/de5fs23hu73ds/files/default/web.css" />
</head>
<!--/Head-->
<!--Body-->
<body  onload="swOnLoad();" class="background">
<div class="inner_frame">
<div class="head_right_text">
<img alt="Logo" class="emblem" src='/mwg-internal/de5fs23hu73ds/files/default/img/wappen.png'>
</div>

<img alt="Logo" class="lion_left" src='/mwg-internal/de5fs23hu73ds/files/default/img/bg_loewe_links.png'>
<img alt="Logo" class="lion_right" src='/mwg-internal/de5fs23hu73ds/files/default/img/bg_loewe_rechts.png'>

<!--Contents-->
<div class="msg_border">
<div class="msg_head">
Keine Verbindung m&ouml;glich.
</div>
<div class="msg_text">

<p>
Der Proxy hat eine ung&uuml;ltige Antwort erhalten.
</p>
</div>
</div>

<!--/Contents-->
</div>
</body>
<!--/Body-->
</html>

Answer 1

As discussed in comments: the issue here is that the proxy is still being used, which would be due to no_proxy being incomplete.

Using Service IP addresses instead of DNS names would still observe HTTP proxy environment configuration.

To avoid SDN addresses from going through an external proxy, you should be able to add the whole Services subnet to your no_proxy, maybe also include de Pods subnet eg:

export NO_PROXY=<existing-exclusions>,10.233.0.0/18,10.233.64.0/18