0

Is there any extra security settings by default that it won't allow the public access of the Kubernetes Cluster on the IBM Cloud?

I exposed the application using the a NodePort service, but it is not accessible via 80 port and even I tried the other ports.

But it is working from the pod, such as visiting this public LoadBalancer by using the curl command. Even I can ping the public IP address of this LoadBalancer, this happens also for the Ingress as well.

The Ingress subdomain is also enabled.

This is an example of the External LoadBalancer in my Kubernetes cluster:

---
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: hello-world
spec:
  containers:
  - image: us.icr.io/my-space/hello-world
    imagePullPolicy: IfNotPresent
    name: hello-world
    ports:
    - containerPort: 8080
      name: http
      protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: hello-world
  name: hello-world-service
spec:
  ports:
  - nodePort: 31190
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: hello-world
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer: {}
Jeff Sloyer
  • 4,899
  • 1
  • 24
  • 48
Michael
  • 31
  • 3
  • I'm not 100% certain with IBM, but I know in cases with other cloud providers such as Amazon, by default the network security policies and firewalls will prevent public access on most ports. Try opening up the port via the network security within IBM. – Dandy Oct 21 '19 at 05:06
  • It sounds like LoadBalancer and NodePort work - but Ingress does not work. Did you create an Ingress resource? If so, can you update your post with that information? Here's a link w/more info on creating an ingress resource: https://cloud.ibm.com/docs/containers?topic=containers-ingress#public_inside_4 – bhpratt Oct 21 '19 at 13:24
  • I tried ingress, it is still the same. – Michael Oct 23 '19 at 09:23

1 Answers1

0

Public load balancers are open to the internet by design so there is nothing blocking your LB. However, if you have a firewall between the internet and the cluster you might be cutting off traffic as it tries to enter the cluster. If you do a ‘kubectl get svc xxx’, you should see the external IP for the service and that should be accessible via port 80 per your spec above. Or you can use one of your worker nodes public IPs and the node port and try accessing it from there. If either of these fail, you’re blocking something somewhere.

If you still have trouble, jump into slack by registering here https://bxcs-slack-invite.mybluemix.net/ and then give me a ping at @john.

We can help you out at length there and then come back and address this post once we’ve nailed down your issue.

John Pape
  • 106
  • 3