Nginx ingress controller with type: NodePort refused request from public IP

Hey everyone,

Hope someone can help.

I use nginx-ingress-controller with type = NodePort rather than LoadBalancer. I’ve already set ExternalIPs with my node public IP in ingress service definition. But every time I curl with the IP, it refuses to connect. If I curl from inside the node by using cluster IP, it’s able to response.

Can’t I use NodePort type for the controller?

Thanks, have a nice day.

Are you using the nodePort when connecting? Or which port? Is kube-proxy running okay on the node?

Yes I use NodePort when deploying the controller instead of LoadBalancer.

What does your curl command look like? Are there any logs for the nginx-controller that might give a hint as to what is failing?

I use

curl -v http://external-node-ip/healthz

Andthe output of kubectl logs -f $POD_NAME is:

I0214 10:07:29.549177   6 launch.go:128]
Name:       NGINX
Release:    0.9.0-beta.17
Build:      git-baa6bcb0
Repository: https://github.com/kubernetes/ingress-nginx
I0214 10:07:29.549202   6 launch.go:131] Watching for ingress class: nginx
I0214 10:07:29.549362   6 launch.go:307] Creating API client for https://10.96.0.1:443
I0214 10:07:29.561883   6 launch.go:319] Running in Kubernetes Cluster version v1.13 (v1.13.3) - git (clean) commit 721bfa751924da8d1680787490c54b9179b1fed0 - platform linux/amd64
I0214 10:07:29.563534   6 launch.go:155] validated ingress-nginx/default-http-backend as the default backend
I0214 10:07:29.567723   6 nginx.go:174] starting NGINX process...
I0214 10:07:29.572592   6 controller.go:1262] starting Ingress controller
I0214 10:07:35.352356   6 controller.go:1270] running initial sync of secrets
I0214 10:07:35.352554   6 controller.go:307] backend reload required
I0214 10:07:35.352691   6 metrics.go:34] changing prometheus collector from  to default
I0214 10:07:35.361640   6 leaderelection.go:174] attempting to acquire leader lease...
I0214 10:07:35.380674   6 leaderelection.go:184] successfully acquired lease ingress-nginx/ingress-controller-leader-nginx
I0214 10:07:35.380720   6 status.go:199] new leader elected: nginx-ingress-controller-fdf887cfc-t6mkj
I0214 10:07:35.414497   6 controller.go:316] ingress backend successfully reloaded...

try curling curl -v http://external-node-ip:nodeportofservice/healthz

Got request timeout if I use nodePort instead.

I follow this tutorial: http://rahmonov.me/posts/nginx-ingress-controller/, it uses LB but I want to try to use NodePort service type.

Are you running in GKE like the tutorial or in a different environment?

Here’s the NodePort service as per the Nginx Ingress repo, https://github.com/nginxinc/kubernetes-ingress/blob/master/deployments/service/nodeport.yaml

You need to curl the node IP using the nodePort as port, too.

And make sure the port is open in your firewall (security groups in AWS, etc.)

2 Likes

No, I’m running in my own environment, just an 2 EC2 instances, 1 master and 1 worker.

Ya check our firewall settings like @rata said.

1 Like

But why does the tutorial give an example to curl with port 80 instead of node port? Is it because of it uses load balancer?

Okay, let me check my security group first.

Yes, NodePort can just consume ports out of the port range (default 30000-32767). LoadBalancer assumes an external entity will be able to map the requested port to the NodePort.

1 Like

But, can I use nodePort 80 in this case? Or if I want to use 80, I have to use LoadBalancer serviceType instead?

For external traffic, yeah you would want to do that. You can take a look at the documentation for nginx-ingress that better explains the ups and downs of certain methods, here

1 Like

There are options (use hostNetwork, a load balancer).

But step by step, it is working using the nodePort?

If you follow the rest of the tutorial you’ll just need to add the nodeport to the domain name (mydomain:nodeport).

It is not the cleanest but will work if you are just testing things out. Once you move into a more stable setup using a loadbalancer would be best.

Yes, I want to prevent the ugly url, so I hope I can use port 80. Can I use type LoadBalancer on deployment even though I don’t have cloud LoadBalancer service?