1

I have got the following service for Kubernetes dashboard

Name:               kubernetes-dashboard
Namespace:          kube-system
Labels:             k8s-app=kubernetes-dashboard
                    kubernetes.io/cluster-service=true
Annotations:        kubectl.kubernetes.io/last-applied-configuration={"kind":"Service","apiVersion":"v1","metadata":{"name":"kubernetes-dashboard","namespace":"kube-system","creationTimestamp":null,"labels":{"k8s-app":"k...
Selector:           k8s-app=kubernetes-dashboard
Type:               NodePort
IP:                 10.0.106.144
Port:               <unset> 80/TCP
NodePort:           <unset> 30177/TCP
Endpoints:          10.244.0.11:9090
Session Affinity:   None
Events:             <none>

According to the documentation, I ran

az acs kubernetes browse

and it works on http://localhost:8001/ui

But I want to access it outside the cluster too. The describe output says that it is exposed using NodePort on port 30177.

But I'm not able to access it on http://<any node IP>:30177

Jaydeep Solanki
  • 2,895
  • 5
  • 36
  • 50
  • FWIW exposing your dashboard on a public IP would be a security problem. Have you tried running a nginx container with nodeport first? Also check your NSG settings to see if any firewall ports are opened when you have a service with nodeport. – ahmet alp balkan Apr 16 '17 at 01:15
  • anyone have clue on this issue. Please help https://stackoverflow.com/q/47597267/7296379 – jk1510 Dec 04 '17 at 05:13

3 Answers3

9

As we know, expose the service to internet, we can use nodeport and LoadBalancer.

As far as I know, Azure does not support nodeport type now.

But I want to access it outside the cluster too.

we can use LoadBalancer to re-create the kubernetes dashboard, here are my steps:

  1. Delete kubernetes-dashboard via kubernetes UI: select Namespace to kube-system, then select services, then delete it: enter image description here enter image description here

  2. Modify Kubernetes-dashboard-service.yaml: SSH master VM, then change type from nodeport to LoadBalancer:

    root@k8s-master-47CAB7F6-0:/etc/kubernetes/addons# vi kubernetes-dashboard-service.yaml

     apiVersion: v1
 kind: Service
 metadata:
   labels:
     kubernetes.io/cluster-service: "true"
     k8s-app: kubernetes-dashboard
   name: kubernetes-dashboard
   namespace: kube-system
 spec:
   ports:
   - port: 80
     targetPort: 9090
   selector:
     k8s-app: kubernetes-dashboard
   type: LoadBalancer

  3. start kubernetes browse from CLI 2.0:

    C:\Users>az acs kubernetes browse -g k8s -n containerservice-k8s

Then SSH to master VM to check the status: enter image description here

Now, we can via the Public IP address to browse the UI:

enter image description here Update:
The following image shows the architecture of azure container service cluster(Kubernetes), we should use Load-Balancer to expose the service to internet.

enter image description here

Tibebes. M
  • 6,940
  • 5
  • 15
  • 36
Jason Ye
  • 13,710
  • 2
  • 16
  • 25
  • Please let me know if you would like further assistance. – Jason Ye Apr 17 '17 at 13:01
  • Thanks, for the answer :) Is there any documentation on why it doesn't support NodePort? Or any workaround? – Jaydeep Solanki Apr 17 '17 at 18:59
  • NodePort exposes the service on the worker nodes. The worker nodes are firewalled and don't have public IPs. Why are you trying to do that instead of using `type=LoadBalancer`. Generally NodePort is for on-premise scenarios that lack easily programmable load balancers. – colemickens Apr 17 '17 at 19:24
  • @colemickens, so I'm trying to use `NodePort` for some dev workload, and `type=LoadBalancer` takes some time to get the external IP assigned. `NodePort` gets up & running quickly and I can access all the services using `:NodePort` – Jaydeep Solanki Apr 17 '17 at 19:36
  • @colemickens, I have a freshly deployed k8s cluster, it contains only 1 NSG (`k8s-master-43247458-nsg`) in the resource group, attached to 1 subnets, 0 network interfaces. I allowed port range `30000-32767` in the NSG, but the service isn't accessible. Can you pls, provide some hints, on what am I missing? – Jaydeep Solanki Apr 17 '17 at 19:50
  • @Jaydeep I have update my answer, in that image, we can find how ACS (kubernetes) work, so we should use Load balancer to expose the service to internet. – Jason Ye Apr 18 '17 at 01:42
  • @Jaydeep I've supplied another top level answer, as that's what SO seems to demand due to the length of my reply. – colemickens Apr 18 '17 at 06:00
3

On second thought, this actually is expected to NOT work. The only public IP in the cluster, by default, is for the load balancer on the masters. And that load balancer obviously is not configured to forward random ports (like 30000-32767 for example). Further, none of the nodes directly have a public IP, so by definition NodePort is not going to work external to the cluster.

The only way you're going to make this work is by giving the nodes public IP addresses directly. This is not encouraged for a variety of reasons.

If you merely want to avoid waiting... then I suggest:

  1. Don't delete the Service. Most dev scenarios should just be kubectl apply -f <directory> in which case you don't really need to wait for the Service to re-provision

  2. Use Ingress along with 'nginx-ingress-controller' so that you only need to wait for the full LB+NSG+PublicIP provisioning once, and then can just add/remove Ingress objects in your dev scenario.

  3. Use minikube for development scenarios, or manually add public ips to the nodes to make the NodePort scenario work.

colemickens
  • 119
  • 2
  • 11
0

You can't expose the service via nodeport by running the kubectl expose command, you get a VIP address outside the range of the subnets your cluster sits on... Instead, deploy a service through a yaml file and you can specify an internal load balancer as a type..., which will give you a local IP on the Master subnet, which you can connect to via the internal network...

Or, you can just expose the service with an external load balancer and get a public ip. available on the www.

Mr. E
  • 457
  • 1
  • 5
  • 20