:original_name: cce_10_0142.html .. _cce_10_0142: NodePort ======== Scenario -------- A Service is exposed on each node's IP address at a static port (NodePort). A ClusterIP Service, to which the NodePort Service will route, is automatically created. By requesting :, you can access a NodePort Service from outside the cluster. .. figure:: /_static/images/en-us_image_0000001517743380.png :alt: **Figure 1** NodePort access **Figure 1** NodePort access Notes and Constraints --------------------- - By default, a NodePort Service is accessed within a VPC. If you need to use an EIP to access a NodePort Service through public networks, bind an EIP to the node in the cluster in advance. - After a Service is created, if the affinity setting is switched from the cluster level to the node level, the connection tracing table will not be cleared. You are advised not to modify the Service affinity setting after the Service is created. If you need to modify it, create a Service again. - CCE Turbo clusters support only cluster-level service affinity. - In VPC network mode, when container A is published through a NodePort service and the service affinity is set to the node level (that is, **externalTrafficPolicy** is set to **local**), container B deployed on the same node cannot access container A through the node IP address and NodePort service. - When a NodePort service is created in a cluster of v1.21.7 or later, the port on the node is not displayed using **netstat** by default. If the cluster forwarding mode is **iptables**, run the **iptables -t nat -L** command to view the port. If the cluster forwarding mode is **ipvs**, run the **ipvsadm -nL** command to view the port. Creating a NodePort Service --------------------------- #. Log in to the CCE console and click the cluster name to access the cluster. #. Choose **Networking** in the navigation pane and click **Create Service** in the upper right corner. #. Set intra-cluster access parameters. - **Service Name**: Specify a Service name, which can be the same as the workload name. - **Service Type**: Select **NodePort**. - **Namespace**: Namespace to which the workload belongs. - **Service Affinity**: For details, see :ref:`externalTrafficPolicy (Service Affinity) `. - **Cluster level**: The IP addresses and access ports of all nodes in a cluster can access the workload associated with the Service. Service access will cause performance loss due to route redirection, and the source IP address of the client cannot be obtained. - **Node level**: Only the IP address and access port of the node where the workload is located can access the workload associated with the Service. Service access will not cause performance loss due to route redirection, and the source IP address of the client can be obtained. - **Selector**: Add a label and click **Add**. A Service selects a pod based on the added label. You can also click **Reference Workload Label** to reference the label of an existing workload. In the dialog box that is displayed, select a workload and click **OK**. - **Port Settings** - **Protocol**: protocol used by the Service. - **Service Port**: port used by the Service. The port number ranges from 1 to 65535. - **Container Port**: port on which the workload listens. For example, Nginx uses port 80 by default. - **Node Port**: You are advised to select **Auto**. You can also specify a port. The default port ranges from 30000 to 32767. #. Click **OK**. Using kubectl ------------- You can run kubectl commands to set the access type. This section uses a Nginx workload as an example to describe how to set a NodePort Service using kubectl. #. Use kubectl to connect to the cluster. For details, see :ref:`Connecting to a Cluster Using kubectl `. #. Create and edit the **nginx-deployment.yaml** and **nginx-nodeport-svc.yaml** files. The file names are user-defined. **nginx-deployment.yaml** and **nginx-nodeport-svc.yaml** are merely example file names. **vi nginx-deployment.yaml** .. code-block:: apiVersion: apps/v1 kind: Deployment metadata: name: nginx spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:latest name: nginx imagePullSecrets: - name: default-secret **vi nginx-nodeport-svc.yaml** .. code-block:: apiVersion: v1 kind: Service metadata: labels: app: nginx name: nginx-nodeport spec: ports: - name: service nodePort: 30000 # Node port. The value ranges from 30000 to 32767. port: 8080 # Port for accessing a Service. protocol: TCP # Protocol used for accessing a Service. The value can be TCP or UDP. targetPort: 80 # Port used by a Service to access the target container. This port is closely related to the applications running in a container. In this example, the Nginx image uses port 80 by default. selector: # Label selector. A Service selects a pod based on the label and forwards the requests for accessing the Service to the pod. In this example, select the pod with the app:nginx label. app: nginx type: NodePort # Service type. NodePort indicates that the Service is accessed through a node port. #. Create a workload. **kubectl create -f nginx-deployment.yaml** If information similar to the following is displayed, the workload has been created. .. code-block:: deployment "nginx" created **kubectl get po** If information similar to the following is displayed, the workload is running. .. code-block:: NAME READY STATUS RESTARTS AGE nginx-2601814895-qhxqv 1/1 Running 0 9s #. Create a Service. **kubectl create -f nginx-nodeport-svc.yaml** If information similar to the following is displayed, the Service is being created. .. code-block:: service "nginx-nodeport" created **kubectl get svc** If information similar to the following is displayed, the Service has been created. .. code-block:: # kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.247.0.1 443/TCP 4d8h nginx-nodeport NodePort 10.247.30.40 8080:30000/TCP 18s #. Access the Service. By default, a NodePort Service can be accessed by using *Any node IP address:Node port*. The Service can be accessed from a node in another cluster in the same VPC or in another pod in the cluster. If a public IP address is bound to the node, you can also use the public IP address to access the Service. Create a container in the cluster and access the container by using *Node IP address:Node port*. .. code-block:: # kubectl get node -owide NAME STATUS ROLES AGE INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME 10.100.0.136 Ready 152m 10.100.0.136 CentOS Linux 7 (Core) 3.10.0-1160.25.1.el7.x86_64 docker://18.9.0 10.100.0.5 Ready 152m 10.100.0.5 CentOS Linux 7 (Core) 3.10.0-1160.25.1.el7.x86_64 docker://18.9.0 # kubectl run -i --tty --image nginx:alpine test --rm /bin/sh If you do not see a command prompt, try pressing Enter. / # curl 10.100.0.136:30000 Welcome to nginx!

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.

Thank you for using nginx.

/ # .. _cce_10_0142__section18134208069: externalTrafficPolicy (Service Affinity) ---------------------------------------- For a NodePort Service, requests are first sent to the node port, then the Service, and finally the pod backing the Service. The backing pod may be not located in the node receiving the requests. By default, the backend workload can be accessed from any node IP address and service port. If the pod is not on the node that receives the request, the request will be redirected to the node where the pod is located, which may cause performance loss. **externalTrafficPolicy** is a configuration parameter of the Service. .. code-block:: apiVersion: v1 kind: Service metadata: name: nginx-nodeport spec: externalTrafficPolicy: local ports: - name: service nodePort: 30000 port: 80 protocol: TCP targetPort: 80 selector: app: nginx type: NodePort If the value of **externalTrafficPolicy** is **local**, requests sent from *Node IP address:Service port* will be forwarded only to the pod on the local node. If the node does not have a pod, the requests are suspended. The other value of **externalTrafficPolicy** is **cluster** (default value), which indicates that requests are forwarded in a cluster. You can set this parameter when creating a Service of the NodePort type on the CCE console. The values of **externalTrafficPolicy** are as follows: - **cluster**: The IP addresses and access ports of all nodes in a cluster can access the workload associated with the Service. Service access will cause performance loss due to route redirection, and the source IP address of the client cannot be obtained. - **local**: Only the IP address and access port of the node where the workload is located can access the workload associated with the Service. Service access will not cause performance loss due to route redirection, and the source IP address of the client can be obtained.