Nginx ingress controller with type: NodePort refused request from public IP


#1

Hey everyone,

Hope someone can help.

I use nginx-ingress-controller with type = NodePort rather than LoadBalancer. I’ve already set ExternalIPs with my node public IP in ingress service definition. But every time I curl with the IP, it refuses to connect. If I curl from inside the node by using cluster IP, it’s able to response.

Can’t I use NodePort type for the controller?

Thanks, have a nice day.


#2

Are you using the nodePort when connecting? Or which port? Is kube-proxy running okay on the node?


#3

Yes I use NodePort when deploying the controller instead of LoadBalancer.


#4

What does your curl command look like? Are there any logs for the nginx-controller that might give a hint as to what is failing?


#5

I use

curl -v http://external-node-ip/healthz

Andthe output of kubectl logs -f $POD_NAME is:

I0214 10:07:29.549177   6 launch.go:128]
Name:       NGINX
Release:    0.9.0-beta.17
Build:      git-baa6bcb0
Repository: https://github.com/kubernetes/ingress-nginx
I0214 10:07:29.549202   6 launch.go:131] Watching for ingress class: nginx
I0214 10:07:29.549362   6 launch.go:307] Creating API client for https://10.96.0.1:443
I0214 10:07:29.561883   6 launch.go:319] Running in Kubernetes Cluster version v1.13 (v1.13.3) - git (clean) commit 721bfa751924da8d1680787490c54b9179b1fed0 - platform linux/amd64
I0214 10:07:29.563534   6 launch.go:155] validated ingress-nginx/default-http-backend as the default backend
I0214 10:07:29.567723   6 nginx.go:174] starting NGINX process...
I0214 10:07:29.572592   6 controller.go:1262] starting Ingress controller
I0214 10:07:35.352356   6 controller.go:1270] running initial sync of secrets
I0214 10:07:35.352554   6 controller.go:307] backend reload required
I0214 10:07:35.352691   6 metrics.go:34] changing prometheus collector from  to default
I0214 10:07:35.361640   6 leaderelection.go:174] attempting to acquire leader lease...
I0214 10:07:35.380674   6 leaderelection.go:184] successfully acquired lease ingress-nginx/ingress-controller-leader-nginx
I0214 10:07:35.380720   6 status.go:199] new leader elected: nginx-ingress-controller-fdf887cfc-t6mkj
I0214 10:07:35.414497   6 controller.go:316] ingress backend successfully reloaded...

#6

try curling curl -v http://external-node-ip:nodeportofservice/healthz


#7

Got request timeout if I use nodePort instead.


#8

I follow this tutorial: http://rahmonov.me/posts/nginx-ingress-controller/, it uses LB but I want to try to use NodePort service type.


#9

Are you running in GKE like the tutorial or in a different environment?

Here’s the NodePort service as per the Nginx Ingress repo, https://github.com/nginxinc/kubernetes-ingress/blob/master/deployments/service/nodeport.yaml


#10

You need to curl the node IP using the nodePort as port, too.

And make sure the port is open in your firewall (security groups in AWS, etc.)


#11

No, I’m running in my own environment, just an 2 EC2 instances, 1 master and 1 worker.


#12

Ya check our firewall settings like @rata said.


#13

But why does the tutorial give an example to curl with port 80 instead of node port? Is it because of it uses load balancer?


#14

Okay, let me check my security group first.


#15

Yes, NodePort can just consume ports out of the port range (default 30000-32767). LoadBalancer assumes an external entity will be able to map the requested port to the NodePort.


#16

But, can I use nodePort 80 in this case? Or if I want to use 80, I have to use LoadBalancer serviceType instead?


#17

For external traffic, yeah you would want to do that. You can take a look at the documentation for nginx-ingress that better explains the ups and downs of certain methods, here


#18

There are options (use hostNetwork, a load balancer).

But step by step, it is working using the nodePort?


#19

If you follow the rest of the tutorial you’ll just need to add the nodeport to the domain name (mydomain:nodeport).

It is not the cleanest but will work if you are just testing things out. Once you move into a more stable setup using a loadbalancer would be best.


#20

Yes, I want to prevent the ugly url, so I hope I can use port 80. Can I use type LoadBalancer on deployment even though I don’t have cloud LoadBalancer service?