stackoom
  简体   繁体   中英

Kubernetes ClusterIP service reachable from outside the cluster?

 原文  2020-10-20 18:23:07       kubernetes

Question

I have a service defined as ClusterIP Service Type but I am surprised to see it has endpoints and so is reachable from outside the cluster.

According to the definition, a clusterIP service type should be only reachable from within the Kubernetes cluster, but having an endpoint makes the service pingeable from anywhere (within a certain VNET) and this is reachable from outside the cluster.

Does anyone know why this would happen?

Name:              active-mq-service
Namespace:         qa-env
Labels:            name=active-mq-service
Annotations:       Selector:  app=active-mq
Type:              ClusterIP
IP:                10.0.140.160
Port:              dashboard  8161/TCP
TargetPort:        8161/TCP
Endpoints:         10.3.1.20:8161
Port:              openwire  61616/TCP
TargetPort:        61616/TCP
Endpoints:         10.3.1.20:61616
Port:              amqp  5672/TCP
TargetPort:        5672/TCP
Endpoints:         10.3.1.20:5672
Port:              stomp  61613/TCP
TargetPort:        61613/TCP
Endpoints:         10.3.1.20:61613
Port:              mqtt  1883/TCP
TargetPort:        1883/TCP
Endpoints:         10.3.1.20:1883
Session Affinity:  None
Events:            <none>

Thanks

2 answers

solution1
 2 ACCPTED  2020-10-21 10:12:55

The endpoints that you're seeing are the IP addresses and ports of the Pods behind the Service.

When you create a cluster, you define a Pod IP address range and each Pod gets an IP address from this range when it's created (these are "virtual" IP addresses in the sense that there are no physical network devices with these IP addresses).

Depending on the CNI plugin you're using, this CNI plugin configures routing entries in the gateway on the host network to route messages to these Pods (this happens when you use an unencapsulated CNI plugin, see encapsulated vs unencapsulated CNI plugins ). So, if you have access to this gateway from outside the cluster (eg from the same VNET, as you say), then you can reach these Pods from outside the cluster.

However, this is a special case and you would usually restrict and narrow down the network in which you create a Kubernetes cluster so that no unintended sources get access to anything inside the cluster.

solution2
 0  2020-10-21 07:39:12

An endpoint address is the (internal IP) of a Pod, so it's not accessible from outside.

In Kubernetes, in the context of Service, you have the following addresses:

  • IP : service address in the internal service network
  • Endpoint IPs : addresses of Pods (to which the service forwards the requests) in the internal Pod network
  • External IP : only for LoadBalancer (you don't have it in the ClusterIP service)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ClusterIP not reachable within the Cluster Kubernetes 1.5.2 ping can't find ClusterIP of a Service from inside Cluster Kubernetes: how to connect to service from outside the cluster? ClusterIP service Not accessible from within the cluster pods Kubernetes: Can not telnet to ClusterIP Service inside my Cluster kubernetes: cannot access service on VirtualBox cluster via ClusterIP / NodePort kubernetes Clusterip+port is not reachable in some cases Exposing a Kubernetes service outside the cluster ClusterIP with externalIPs - can't be accessed from outside the cluster Kubernetes kube-apiserver is not reachable from nodes/podes via ClusterIP (:443).
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM