Cannoot access services via NodePort on MacOS with Docker driver

[marlon-sousa]

Hello,

I am facing issues accessing services via node port on Mac OS.

System information:

ProductName:    macOS
ProductVersion: 11.1
BuildVersion:   20C69

Ninikube version:

minikube version: v1.19.0
commit: 15cede53bdc5fe242228853e737333b09d4336b5

kubectl version:

Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.7", GitCommit:"1dd5338295409edcfff11505e7bb246f0d3
25d15", GitTreeState:"clean", BuildDate:"2021-01-13T13:23:52Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.2", GitCommit:"faecb196815e248d3ecfb03c680a4507229c2a56", GitTreeState:"clean", BuildDate:"2021-01-13T13:20:00Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}

docker version:

Client: Docker Engine - Community
 Cloud integration: 1.0.12
 Version:           20.10.5
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        55c4c88
 Built:             Tue Mar  2 20:13:00 2021
 OS/Arch:           darwin/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.5
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       363e9a8
  Built:            Tue Mar  2 20:15:47 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.4
  GitCommit:        05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc:
  Version:          1.0.0-rc93
  GitCommit:        12644e614e25b05da6fd08a38ffa0cfe1903fdec
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Minikube installed with homebrew version:

Homebrew 3.1.3
Homebrew/homebrew-core (git revision 9bc3198bef; last commit 2021-04-25)

minikub init command

minikube start --driver=docker --mount --mount-string $(PWD)/dev/volumes:/volumes

Steps to reproduce the issue:

1. On Mac OS, start minikube as above.
2. Make a simple deployment / service using mode port. Below I will post a yaml but this has also veen berified with other services I tried.

apiVersion: v1
kind: PersistentVolume
metadata:
  name: wiremock-pv-volume
  namespace: queen
  labels:
    type: local
    app: wiremock
spec:
  storageClassName: manual
  capacity:
    storage: 100Mi
  accessModes:
    - ReadWriteMany
  hostPath:
    path: "/volumes/wiremock"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: wiremock-pv-claim
  labels:
    app: wiremock
spec:
  storageClassName: manual
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 100Mi

-------
apiVersion: v1
kind: Service
metadata:
  name: wiremock
  labels:
    app: wiremock
spec:
  type: NodePort
  ports:
    - port: 8080
      nodePort: 30080
  selector:
    app: wiremock

-------
apiVersion: apps/v1
kind: Deployment
metadata:
  name: wiremock
spec:
  replicas: 1
  selector:
    matchLabels:
      app: wiremock
  template:
    metadata:
      labels:
        app: wiremock
    spec:
      containers:
        - name: wiremock
          image: rodolpheche/wiremock
          imagePullPolicy: "IfNotPresent"
          ports:
            - containerPort: 8080
          volumeMounts:
            - mountPath: /home/wiremock
              name: wiremock-vol
      volumes:
        - name: wiremock-vol
          persistentVolumeClaim:
            claimName: wiremock-pv-claim

4. Up until here we are pretty good. The volume has been created, shared, everything working. kubectl get svc shows the following:

NAME       TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
wiremock   NodePort   10.102.252.201   <none>        8080:30080/TCP   18h

issue

But I cannot access this service using port 30080, and here comes the issue:
If I try

minikube ip

I get 192.168.49.2 as response. This is what happens also on Linux. However, this ip is kind of "useless", in the sense that I can not ping it from terminal nor can I telnet or CURL it at port 30080 (or at any other port I have tried).
This is different from Linux, where I can either ping or telnet / CURL / PSQL / whatever I need at the appropriate ports and services work. on Mac OS, every telnet / CURL / psql I try on this IP hangs indefinitely.

I suppose this has to do somehow with the docker driver, but I couldn't find documentation on that nor could I find anything useful in logs.
Strangely, minikube ssh works flowlessly, as also works minikube service wiremock. More strange is that minikube tunnel also hangs indefinitely.

I cannot use minikube service tunelling for several reazons, and I am thinking what can be done to fix that. NodePort is an important feature of Minikube, so if the docker driver doesn't support that I would like to know.

As I have no errors outputs, I will post no logs here now, but I am whiling to do everything I can to help to track this, so feel free to ask me for extra logs.

Full output of failed command:

There is not failure of output commands, at least that I have seen.

Full output of minikube start command used, if not already included:

* minikube v1.19.0 on Darwin 11.1
* Using the docker driver based on existing profile
* Starting control plane node minikube in cluster minikube
* Updating the running docker "minikube" container ...
* Preparing Kubernetes v1.20.2 on Docker 20.10.5 ...
* Verifying Kubernetes components...
  - Using image kubernetesui/dashboard:v2.1.0
  - Using image kubernetesui/metrics-scraper:v1.0.4
  - Using image gcr.io/k8s-minikube/storage-provisioner:v5
* Enabled addons: default-storageclass, storage-provisioner, dashboard
* Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default
* ```

[afbjorklund]

This is a known issue, Docker Desktop networking doesn't support ports. You will have to use minikube tunnel.

https://docs.docker.com/docker-for-mac/networking/#known-limitations-use-cases-and-workarounds

https://minikube.sigs.k8s.io/docs/handbook/accessing/

You could also run minikube in a VM, to get a proper IP. Such a driver can be selected with minikube start --vm

[afbjorklund]

Strangely, minikube ssh works flowlessly

minikube publishes the ssh port automatically

I cannot use minikube service tunelling for several reazons, and I am thinking what can be done to fix that. NodePort is an important feature of Minikube, so if the docker driver doesn't support that I would like to know.

There are other solutions to set up tunneling and networking, but nothing that is provided out-of-the-box.

[zhan9san]

Hi @marlon-sousa

This issue is similar to #9404
A custom service is required to be published on localhost/MacOS.

1. Expose specific port which app listens on. [Host Port]:[NodePort in Kubernetes Cluster]

minikube start --driver=docker --ports=30080:30080

2. Create Service

kubectl apply -f test.yml

test.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-deployment
spec:
  selector:
    matchLabels:
      app: metrics
      department: engineering
  replicas: 1
  template:
    metadata:
      labels:
        app: metrics
        department: engineering
    spec:
      containers:
      - name: hello
        image: "gcr.io/google-samples/hello-app:2.0"
        env:
        - name: "PORT"
          value: "8080"

---
apiVersion: v1
kind: Service
metadata:
  name: my-np-service
spec:
  type: NodePort
  selector:
    app: metrics
    department: engineering
  ports:
  - protocol: TCP
    port: 8080
    nodePort: 30080

3. Verify Service

~/Source/k8s-test/svc ❯ docker port minikube                                                                                                         12:22:42
22/tcp -> 127.0.0.1:61438
2376/tcp -> 127.0.0.1:61439
30080/tcp -> 0.0.0.0:30080
32443/tcp -> 127.0.0.1:61440
5000/tcp -> 127.0.0.1:61441
8443/tcp -> 127.0.0.1:61442
~/Source/k8s-test/svc ❯ kubectl get svc                                                                                                              12:22:46
NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)          AGE
kubernetes      ClusterIP   10.96.0.1      <none>        443/TCP          5m3s
my-np-service   NodePort    10.104.99.25   <none>        8080:30080/TCP   4m48s
~/Source/k8s-test/svc ❯ curl http://127.0.0.1:30080                                                                                                  12:22:52
Hello, world!
Version: 2.0.0
Hostname: my-deployment-6ccc959b54-p4wst
~/Source/k8s-test/svc ❯ minikube ssh                                                                                                                 12:22:59
Last login: Mon Apr 26 04:19:34 2021 from 192.168.49.1
docker@minikube:~$ curl http://127.0.0.1:30080
Hello, world!
Version: 2.0.0
Hostname: my-deployment-6ccc959b54-p4wst

@afbjorklund
This issue brings me back to considering whether #11070 is necessary.
It seems --ports 8443:8443 can expose apiserver as well.

[afbjorklund]

@zhan9san But #11070 (and #8008) is about exporting the API server outside of localhost ?
Normally ssh and apiserver (port 8443) are only available to 127.0.0.1, for security reasons.

CONTAINER ID   IMAGE                                                         COMMAND                  CREATED         STATUS         PORTS                                                                                                                                  NAMES
5738d920d888   gcr.io/k8s-minikube/kicbase-builds:v0.0.20-1618262794-11055   "/usr/local/bin/entr…"   5 minutes ago   Up 5 minutes   127.0.0.1:49167->22/tcp, 127.0.0.1:49166->2376/tcp, 127.0.0.1:49165->5000/tcp, 127.0.0.1:49164->8443/tcp, 127.0.0.1:49163->32443/tcp   minikube

Using docker publishing for apps is not recommended, because it requires restarting the container.
So the ssh tunnels are (marginally) better, but a better ingress solution for crippled drivers is required...

---

I'm personally looking into NoRouter...
https://norouter.io/docs/examples/docker/

It would offer a HTTP proxy, for the cluster.
There are some other similar solutions.

[zhan9san]

@afbjorklund

1. It supports localhost as well. And it provides a workaround to this issue.

~ 14s ❯ minikube start --driver=docker --ports=127.0.0.1:30080:30080                                                                                 14:26:41
😄  minikube v1.19.0 on Darwin 10.15.7
✨  Using the docker driver based on user configuration
👍  Starting control plane node minikube in cluster minikube
🔥  Creating docker container (CPUs=2, Memory=3132MB) ...
🐳  Preparing Kubernetes v1.20.2 on Docker 20.10.5 ...
    ▪ Generating certificates and keys ...
    ▪ Booting up control plane ...
    ▪ Configuring RBAC rules ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default
~ 1m 32s ❯ docker port minikube                                                                                                                      14:28:15
22/tcp -> 127.0.0.1:51362
2376/tcp -> 127.0.0.1:51363
30080/tcp -> 127.0.0.1:30080
32443/tcp -> 127.0.0.1:51364
5000/tcp -> 127.0.0.1:51365
8443/tcp -> 127.0.0.1:51368

2. Using docker publishing for apps is not recommended. For this scenario, could you please explain why does it require restarting the container? Does it mean minikube delete/minikube start --driver=docker --ports=127.0.0.1:30080:30080
   Both docker and ingress can make application accessible outside cluster. If the user choose 'LoadBalancer', I noticed you mentioned minikube tunnel, it works well and there is no need to publish port when Minikube starts.

Minikube provides us a very convenient way to verify the application in localhost/development, minikube start/minikube delete. The cluster is ephemeral.

[zhan9san]

I agree with you, There are some other similar solutions.

Regarding NoRouter, it's a great tool providing mutual interconnectivity across multiple remote hosts.

Besides, using a one-time pod to access k8s cluster running in container is another choice.

~ ❯ minikube start --driver=docker
~ ❯ kubectl apply -f test.yml
~ ❯ minikube ip                                                                                                                                      15:24:40
192.168.49.2
~ ❯ kubectl run -it --rm --image=curlimages/curl --restart=Never one-time-curl -- http://192.168.49.2:30080                                          15:27:48
Hello, world!
Version: 2.0.0
Hostname: my-deployment-6ccc959b54-cwrb6
pod "one-time-curl" deleted

[afbjorklund]

Using docker publishing for apps is not recommended.
For this scenario, could you please explain why does it require restarting the container?

That's just how the docker publish works, it only takes affect when the container is started.

So when you add a new app, the new NodePort would have to be added to the publish list.

[zhan9san]

@afbjorklund
Thanks for you clarification. Yes, you're right.

My opinion is that a k8s cluster created by minikube is ephemeral, that's to say, once quick verification is done, destroy cluster as well. The scenario you mentioned will not exist.

Here is a bold idea, how about adding -P, --publish-all in minikube?
I'm not sure whether docker dynamically publishes ports or just when it starts?

[afbjorklund]

Here is a bold idea, how about adding -P, --publish-all in minikube?
I'm not sure whether docker dynamically publishes ports or just when it starts?

That just means to publish all ports that are exposed in the container image
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#expose

[zhan9san]

@afbjorklund

You are right.

Let's focus on the root cause, different from the Linux system, there is no bridge0 on Macos, and it makes container IP unreachable from host.

Fortunately, we can define the port range in both apiserver and docker publishing at the same time.
Restarting container would not be an issue.

Please see sample below. The small range is for performance.

~ ❯ minikube start --driver=docker --extra-config=apiserver.service-node-port-range=32760-32767 --ports=127.0.0.1:32760-32767:32760-32767            18:01:59
😄  minikube v1.19.0 on Darwin 10.15.7
✨  Using the docker driver based on user configuration
👍  Starting control plane node minikube in cluster minikube
🔥  Creating docker container (CPUs=2, Memory=3132MB) ...
🐳  Preparing Kubernetes v1.20.2 on Docker 20.10.5 ...
    ▪ apiserver.service-node-port-range=32760-32767
    ▪ Generating certificates and keys ...
    ▪ Booting up control plane ...
    ▪ Configuring RBAC rules ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default
~ 1m 23s ❯ kubectl get svc                                                                                                                           18:03:30
NAME            TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
kubernetes      ClusterIP   10.96.0.1        <none>        443/TCP          66s
my-np-service   NodePort    10.101.214.134   <none>        8080:32760/TCP   13s
~ ❯ curl 127.0.0.1:32760                                                                                                                             18:04:31
Hello, world!
Version: 2.0.0
Hostname: my-deployment-6ccc959b54-z97pf

~ ❯ docker port minikube                                                                                                                             18:03:26
32763/tcp -> 127.0.0.1:32763
32766/tcp -> 127.0.0.1:32766
5000/tcp -> 127.0.0.1:58090
32761/tcp -> 127.0.0.1:32761
32762/tcp -> 127.0.0.1:32762
32443/tcp -> 127.0.0.1:58088
32760/tcp -> 127.0.0.1:32760
32764/tcp -> 127.0.0.1:32764
32765/tcp -> 127.0.0.1:32765
32767/tcp -> 127.0.0.1:32767
8443/tcp -> 127.0.0.1:58091
22/tcp -> 127.0.0.1:58085
2376/tcp -> 127.0.0.1:58089

[afbjorklund]

I don't want to open more ports, and I want to close down 2376 and 5000 whenever possible...

• 2376 is the legacy tcp port for DOCKER_HOST
• 5000 is the workaround for missing registry cert

This is not only an issue for the Docker Desktop drivers (Mac and Win), but also the SSH driver.

For now, it's a known shortcoming and it is being addressed by minikube tunnel (and ssh -L)

---

It could definitely be documented better:

I suppose this has to do somehow with the docker driver, but I couldn't find documentation on that nor could I find anything useful in logs.

Also interesting why tunneling doesn't work:

I cannot use minikube service tunelling for several reazons, and I am thinking what can be done to fix that. NodePort is an important feature of Minikube, so if the docker driver doesn't support that I would like to know.

[afbjorklund]

Note that you can set up your own ssh tunnels for NodePort, the same way minikube does it for LoadBalancer.

ssh -nNT -L 30080:30080

There should probably be a command for it.

Or at least some options for minikube ssh

[zhan9san]

minikube tunnel use the k8s clientset to query the API server for services in the NodePortEmulator.
And then to set up the ssh tunnel, correct?

Is this feature in the plan?

[zhan9san]

Hi
This command works well for NodePort service.

minikube service hello-minikube

Please refer to minikube makes it easy to open this exposed endpoint in your browser:

[afbjorklund]

Disregard that mention, wrong issue number...

[marlon-sousa]

Hello,

For me, what worked was this solution by zhan9san:

minikube start --driver=docker --extra-config=apiserver.service-node-port-range=32760-32767 --ports=127.0.0.1:32760-32767:32760-32767

This brings the services to 127.0.0.1 on Mac OS. Although not ideal, it is the closest we can get, using then the 127.0.0.1 host ip instead of the minikube ip.

Can I close the issue?

I think someone else looking for help and reaching here will probably have a good idea of wat can be Done.

Thanks guys.

[zhan9san]

I'm glad it works for you. Feel free to close it.

[marlon-sousa]

Hello,

Can you check #11577 please? It is kind of the same thing but now itt's happening on Linux, after some updates. I will close this one.

[zhan9san]

Hello,

Can you check #11577 please? It is kind of the same thing but now itt's happening on Linux, after some updates. I will close this one.

It's a known issue, #11418, and it's different from #11193.

I have added comment and workaround in #11577. Please enjoy it.

[imnetworku]

What worked for me was running minikube service myapp-service --url after creating the service and using the url provided in either a browser or via curl while the terminal window was left open..

[blue928]

Are the solutions in this post still valid? I've tried every single one of them and as of this writing, I get only errors. Would the fact that I'm using an Apple M1 chip be a factor? In any case, here is what I'm trying with errors:

There is no build of virtualbox for M1 chips, so using that driver is not an option. The hyperkit driver shows all the same errors as the docker driver.

To this day I have never been able to get a web app to display on an Apple M1 no matter what directions or tutorials I follow. If you have successfully done so, can someone please provide step by step instructions on how to do so?

Interestingly enough, I can see the dashboard at 127.0.0.1:51301, however.

Tried:
minikube start --driver=docker --extra-config=apiserver.service-node-port-range=32760-32767 --ports=127.0.0.1:32760-32767:32760-32767

Error:
Exiting due to MK_USAGE: Sorry, one of the ports provided with --ports flag is not valid [127.0.0.1:32760-32767:32760-32767]

Tried:
At the following documents url, I select the options that relate to MacOS with ARM64 architecture, and I go through the steps. After step 4, I get errors:

Errors:

 kubectl create deployment hello-minikube --image=k8s.gcr.io/echoserver:1.4
 kubectl expose deployment hello-minikube --type=NodePort --port=8080

kubectl get services hello-minikube gives the following:

 NAME             TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
hello-minikube   NodePort   10.105.82.126   <none>        8080:30378/TCP   65m

minikube service hello-minikube dumps the following and opens a browser to the 127.0.0.1: address, but, no connection.

|-----------|----------------|-------------|---------------------------|
| NAMESPACE |      NAME      | TARGET PORT |            URL            |
|-----------|----------------|-------------|---------------------------|
| default   | hello-minikube |        8080 | http://192.168.49.2:30378 |
|-----------|----------------|-------------|---------------------------|
🏃  Starting tunnel for service hello-minikube.
|-----------|----------------|-------------|------------------------|
| NAMESPACE |      NAME      | TARGET PORT |          URL           |
|-----------|----------------|-------------|------------------------|
| default   | hello-minikube |             | http://127.0.0.1:52410 |
|-----------|----------------|-------------|------------------------|
🎉  Opening service default/hello-minikube in default browser...
❗  Because you are using a Docker driver on darwin, the terminal needs to be open to run it.

trying the NodePort CLUSTER-IP at both ports; tryng 127.0.0.1 at both ports; double checking that the NodePort, Port, and TargetPort in the yaml file are correct, and trying the 192.168.49.2 address with all referenced ports also does not work.

Tried:
Finally, the suggestion is to run minikube tunnel in a separate terminal. Neither setting the serviceType to NodePoart nor LoadBalancer and trying all ips again with all referenced ports works. Hitting CTRL^C gives the error: Exiting due to SVC_TUNNEL_STOP: stopping ssh tunnel: os: process already finished

Finally, trying the alternative to use kubectl port fowarding per the docs also gives an error:

E1219 18:07:22.412777   34265 portforward.go:406] an error occurred forwarding 7080 -> 8080: error forwarding port 8080 to pod 150eed54c602609a85176a2ed5d2bf117a50f8d60496d7b405155ebd5908f0d5, uid : exit status 1: 2021/12/19 23:07:22 socat[17819] E connect(5, AF=2 127.0.0.1:8080, 16): Connection refused
E1219 18:07:22.414405   34265 portforward.go:234] lost connection to pod

What am I doing wrong?

[zhan9san]

Hi @blue928

dumps the following and opens a browser to the 127.0.0.1: address, but, no connection

Does the 127.0.0.1: address mean http://127.0.0.1:52410?

trying the NodePort CLUSTER-IP at both ports;

ClusterIP: Exposes the Service on a cluster-internal IP. Choosing this value makes the Service only reachable from within the cluster. This is the default ServiceType.
You access it outside the cluster. It is expected to be unreachable.

tryng 127.0.0.1 at both ports;

What are the both ports?

trying the 192.168.49.2 address with all referenced ports

192.168.49.2 is the IP of Kubernetes Master Node which is a docker container.
You can log into this container via minikube ssh, in which container, you can access the service via curl http://192.168.49.2:30378. It is because the service exposed on NodePort, and you are on the node.

Besides, the docker container network is not directly reachable on MacOS, so a tunnel is created by minikube service hello-minikube making the service reachable via curl http://127.0.0.1:52410

Hope I express myself clearly.

[zhan9san]

In order to get a minimum reproducible scenario, would you mind running some basic test and sending me the result?

Terminal 1

Note: minikube delete will delete current cluster

$ minikube delete
$ minikube start --driver=docker
$ minikube addons enable ingress
$ sudo minikube tunnel

Terminal 2

Add the following line to the bottom of the /etc/hosts file.

127.0.0.1 hello-world.info

$ kubectl create deployment web --image=gcr.io/google-samples/hello-app:1.0
$ kubectl expose deployment web --port=8080
$ kubectl apply -f https://k8s.io/examples/service/networking/example-ingress.yaml
$ kubectl get svc
$ kubectl get po
$ curl hello-world.info

[blue928]

Terminal 1:

bpc@bpcs-MBP skaffold % minikube delete
🔥  Deleting "minikube" in docker ...
🔥  Deleting container "minikube" ...
🔥  Removing /Users/bpc/.minikube/machines/minikube ...
💀  Removed all traces of the "minikube" cluster.

bpc@bpcs-MBP skaffold % minikube start --driver=docker
😄  minikube v1.24.0 on Darwin 11.6 (arm64)
✨  Using the docker driver based on user configuration
👍  Starting control plane node minikube in cluster minikube
🚜  Pulling base image ...
🔥  Creating docker container (CPUs=2, Memory=1988MB) ...
🐳  Preparing Kubernetes v1.22.3 on Docker 20.10.8 ...
    ▪ Generating certificates and keys ...
    ▪ Booting up control plane ...
    ▪ Configuring RBAC rules ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

bcp@bcps-MBP skaffold % minikube addons enable ingress
💡  After the addon is enabled, please run "minikube tunnel" and your ingress resources would be available at "127.0.0.1"
    ▪ Using image k8s.gcr.io/ingress-nginx/controller:v1.0.4
    ▪ Using image k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1
    ▪ Using image k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1
🔎  Verifying ingress addon...
🌟  The 'ingress' addon is enabled

bcp@bcps-MBP skaffold % sudo minikube tunnel
Password:

Terminal 2:

bcp@bcps-MBP ~ % sudo vi /etc/hosts
Password:

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1       localhost
255.255.255.255 broadcasthost
::1             localhost
# Added by Docker Desktop
# To allow the same kube context to work on the host and the container:
127.0.0.1 kubernetes.docker.internal
# End of section
127.0.0.1 hello-world.info

bcp@bcps-MBP ~ % kubectl create deployment web --image=gcr.io/google-samples/hello-app:1.0
deployment.apps/web created
bcp@bcps-MBP ~ % kubectl expose deployment web --port=8080
service/web exposed
bcp@bcps-MBP ~ % kubectl apply -f https://k8s.io/examples/service/networking/example-ingress.yaml
ingress.networking.k8s.io/example-ingress created

Terminal 1: (automatic response)

❗  The service/ingress example-ingress requires privileged ports to be exposed: [80 443]
🔑  sudo permission will be asked for it.
🏃  Starting tunnel for service example-ingress.

Terminal 2:

bcp@bcps-MBP ~ % kubectl get svc
NAME         TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
kubernetes   ClusterIP   10.96.0.1      <none>        443/TCP    17m
web          ClusterIP   10.105.28.33   <none>        8080/TCP   2m18s
bcp@bcps-MBP ~ % kubectl get po
NAME                   READY   STATUS    RESTARTS   AGE
web-79d88c97d6-txhnn   1/1     Running   0          3m14s
bluepresley@Blues-MBP ~ % curl hello-world.info
Hello, world!
Version: 1.0.0
Hostname: web-79d88c97d6-txhnn

A curl response!! Yes! Why does this work? I also notice the 127.0.0.1 kubernetes.docker.internal in the /etc/hosts file. Could that be causing any issues?

[zhan9san]

Why does this work?

You can find detailed info from Support Ingress on MacOS, driver docker and the comments in this issue.

I also notice the 127.0.0.1 kubernetes.docker.internal in the /etc/hosts file. Could that be causing any issues?

No, it couldn't.

The above sample means both kubernetes cluster/kubernetes service and minikube ingress add-on work.

As you mentioned helm install wordpress bitnami/wordpress doesn't work as expected, it may be wordpress helm chart issue.

If wordpress is your real case instead a sample, you can run following commands to get more detailed log.
kubectl get pods and kubectl logs xxx.
Maybe there are some issue related to wordpress instead of minikube.

[blue928]

@zhan9san Thank you so much! Turning on the Ingress Controller and adding an Ingress Resource have been the missing elements.

Once I started playing with this in the wild I had one more gotcha that may help others referencing this.

kubectl create deployment web creates a deployment with Labels: app=web automatically added to its definition. (kubectl describe deployment web to see it). kubectl expose deployment web creates a Service with Selector: app=web automatically added to its definition. (kubectl describe svc web).

Without the Selector field, the Service will not automatically create the endpoints necessary for traffic to make it to its final destination. The kubectl commands do this automatically behind the scenes, but it tripped me up when writing my own yaml file definitions.

The takeaway is if you're getting 502, 503 errors, double check that your Deployment has a Labels field with = and your Services has a Selector field whose = exactly matches that in the Deployment's Labels field.

kubectl describe ... and kubectl get ep are helpful in debugging this scenario. I also found it helpful to keep the example-ingress scenario from above deployed so I could compare working definitions against my own when I had issues.

References:

• https://kubernetes.io/docs/tasks/access-application-cluster/ingress-minikube/
• https://kubernetes.io/docs/concepts/services-networking/service/

[nour-karoui]

for m1 users, when starting minikube run this command

minikube start --ports=port-target:node-port

for eg; minikube start --ports=30000:30000

and for exposing multiple ports, separate them by comma, eg; minikube start --ports=30000:30000,32000:32000

and now you access the pod via: http://localhost:30000

[mattbator]

Is it no longer possible to expose a range of ports using the --ports flag? (CC: @toonvanstrijp)

Using the example provided by @marlon-sousa above:

minikube start --driver=docker --extra-config=apiserver.service-node-port-range=32760-32767 --ports=127.0.0.1:32760-32767:32760-32767

on minikube v1.25.2, yields the following error:

`😄 minikube v1.25.2 on Darwin 12.3.1 (arm64)
✨ Using the docker driver based on user configuration

❌ Exiting due to MK_USAGE: Sorry, one of the ports provided with --ports flag is not valid [127.0.0.1:32760-32767:32760-32767]`

[nour-karoui]

@mattbator minikube considers 127.0.0.1:32760-32767:32760-32767 as one port mapping as you can see from the error message it displayed an array with one element, a workaround I did was separate them by a comma. However, I don't know what to do with bulk ports

[babreu-ncsa]

None of the fixes here worked for me :/

[nour-karoui]

@babreu-ncsa can you share with us some screenshots or the error messages?

[leizhangcnnz]

@nour-karoui
I tried with:

> minikube start --driver=docker --extra-config=apiserver.service-node-port-range=30760-32767 --ports=127.0.0.1:31923:31923

> kubectl get svc
NAME             TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE
kubernetes       ClusterIP   10.96.0.1        <none>        443/TCP        2m18s
navbar-service   NodePort    10.107.151.252   <none>        80:31923/TCP   107s

> curl http://127.0.0.1:31923
curl: (7) Failed to connect to 127.0.0.1 port 31923 after 4 ms: Connection refused

[babreu-ncsa]

@nour-karoui thanks for asking! I felt like I should provide details, but since the issue is closed and there are so many examples, I just wanted to bring it back to life somehow. But yes, makes sense to post the details!
Start minikube:

$ minikube start --driver=docker --ports=30000:30000,32000:32000
😄  minikube v1.25.2 on Darwin 12.0.1 (arm64)
✨  Using the docker driver based on user configuration
👍  Starting control plane node minikube in cluster minikube
🚜  Pulling base image ...
🔥  Creating docker container (CPUs=2, Memory=4000MB) ...
🐳  Preparing Kubernetes v1.23.3 on Docker 20.10.12 ...
    ▪ kubelet.housekeeping-interval=5m
    ▪ Generating certificates and keys ...
    ▪ Booting up control plane ...
    ▪ Configuring RBAC rules ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

Now here's my helloworld deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: helloworld
spec:
  selector:
    matchLabels:
      app: helloworld
  replicas: 1 # tells deployment to run 1 pods matching the template
  template: # create pods using pod definition in this template
    metadata:
      labels:
        app: helloworld
    spec:
      containers:
      - name: helloworld
        image: karthequian/helloworld:latest
        ports:
        - containerPort: 80

Create it

$ kubectl create -f helloworld.yaml 
deployment.apps/helloworld created

verify pods

$ kubectl get all
NAME                            READY   STATUS    RESTARTS   AGE
pod/helloworld-d7c6dd56-426s6   1/1     Running   0          48s

NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
service/kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP   2m43s

NAME                         READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/helloworld   1/1     1            1           48s

NAME                                  DESIRED   CURRENT   READY   AGE
replicaset.apps/helloworld-d7c6dd56   1         1         1       48s

Now expose the deployment:

$ kubectl expose deployment helloworld --type=NodePort
service/helloworld exposed

check

$ kubectl get all
NAME                            READY   STATUS    RESTARTS   AGE
pod/helloworld-d7c6dd56-426s6   1/1     Running   0          2m7s

NAME                 TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
service/helloworld   NodePort    10.101.201.13   <none>        80:30764/TCP   19s
service/kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP        4m2s

NAME                         READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/helloworld   1/1     1            1           2m7s

NAME                                  DESIRED   CURRENT   READY   AGE
replicaset.apps/helloworld-d7c6dd56   1         1         1       2m7s

then hit it:

$ minikube service helloworld
🏃  Starting tunnel for service helloworld.
🎉  Opening service default/helloworld in default browser...
❗  Because you are using a Docker driver on darwin, the terminal needs to be open to run it.

and it will stay forever like this. service/helloworld never gets an external IP.
As I mentioned, I tried other workarounds listed here and combinations of them, nothing really worked :/

[nour-karoui]

@leizhangcnnz can you try --ports=31923:31923 (remove the 127.0.0.1)

[leizhangcnnz]

@nour-karoui still failing.

➜   minikube start --driver=docker --ports=32314:32314
😄  minikube v1.25.2 on Darwin 12.3.1 (arm64)
✨  Using the docker driver based on existing profile
👍  Starting control plane node minikube in cluster minikube
🚜  Pulling base image ...
🔄  Restarting existing docker container for "minikube" ...
🐳  Preparing Kubernetes v1.23.3 on Docker 20.10.12 ...
    ▪ kubelet.housekeeping-interval=5m
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default
➜   kubectl get svc
NAME             TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
kubernetes       ClusterIP   10.96.0.1       <none>        443/TCP        12h
navbar-service   NodePort    10.107.210.81   <none>        80:32314/TCP   12h
➜   curl http://127.0.0.1:32314
curl: (7) Failed to connect to 127.0.0.1 port 32314 after 3 ms: Connection refused

[zhan9san]

@babreu-ncsa

and it will stay forever like this. service/helloworld never gets an external IP.

It is expected. I don't think the external IP can be generated if the service type is NodePort

Instead, if the service type is LoadBalancer, ingress add-on is enabled and tunnel is created, the external IP would be generated.

The #13806 is merged recently.

• NodePort: nodeport-access
• LoadBalancer: loadbalancer-access

[babreu-ncsa]

@zhan9san thanks for your comment! Unfortunately, none of these is working for me. Here are the details.

NodePort

$ minikube start
😄  minikube v1.25.2 on Darwin 12.0.1 (arm64)
✨  Automatically selected the docker driver. Other choices: virtualbox, ssh
👍  Starting control plane node minikube in cluster minikube
🚜  Pulling base image ...
🔥  Creating docker container (CPUs=2, Memory=4000MB) ...
🐳  Preparing Kubernetes v1.23.3 on Docker 20.10.12 ...
    ▪ kubelet.housekeeping-interval=5m
    ▪ Generating certificates and keys ...
    ▪ Booting up control plane ...
    ▪ Configuring RBAC rules ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

$ kubectl create -f helloworld.yaml 
deployment.apps/helloworld created

$ kubectl get all
NAME                            READY   STATUS    RESTARTS   AGE
pod/helloworld-d7c6dd56-pnc8l   1/1     Running   0          47s

NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
service/kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP   70s

NAME                         READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/helloworld   1/1     1            1           47s

NAME                                  DESIRED   CURRENT   READY   AGE
replicaset.apps/helloworld-d7c6dd56   1         1         1       47s

$ kubectl expose deployment helloworld --type=NodePort --port=8080
service/helloworld exposed

$ kubectl get service
NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
helloworld   NodePort    10.110.198.39   <none>        8080:30818/TCP   23s
kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP          2m31s

$ minikube service helloworld --url

🏃  Starting tunnel for service helloworld.
❗  Because you are using a Docker driver on darwin, the terminal needs to be open to run it.

Different terminal

$ ps -ef | grep [email protected]
  502 56216 56201   0  7:04AM ttys000    0:00.01 ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -N [email protected] -p 60984 -i /Users/babreu/.minikube/machines/minikube/id_rsa -L 61983:10.110.198.39:8080
  502 56235  5965   0  7:05AM ttys002    0:00.01 grep [email protected]

http://127.0.0.1:8080/61983 (and 8080) give "connection reset".

kubectl get service helloworld --output='jsonpath="{.spec.ports[0].nodePort}"'
"30818"

http://127.0.0.1:8080/30818 also gives connection reset.

LoadBalancer

$ minikube start
😄  minikube v1.25.2 on Darwin 12.0.1 (arm64)
✨  Automatically selected the docker driver. Other choices: virtualbox, ssh
👍  Starting control plane node minikube in cluster minikube
🚜  Pulling base image ...
🔥  Creating docker container (CPUs=2, Memory=4000MB) ...
🐳  Preparing Kubernetes v1.23.3 on Docker 20.10.12 ...
    ▪ kubelet.housekeeping-interval=5m
    ▪ Generating certificates and keys ...
    ▪ Booting up control plane ...
    ▪ Configuring RBAC rules ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

$ minikube addons enable ingress
💡  After the addon is enabled, please run "minikube tunnel" and your ingress resources would be available at "127.0.0.1"
    ▪ Using image k8s.gcr.io/ingress-nginx/controller:v1.1.1
    ▪ Using image k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1
    ▪ Using image k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1
🔎  Verifying ingress addon...
🌟  The 'ingress' addon is enabled

Terminal 2

$ minikube tunnel
✅  Tunnel successfully started

📌  NOTE: Please do not close this terminal as this process must stay alive for the tunnel to be accessible ...

Terminal 1

$ kubectl create -f helloworld.yaml 
deployment.apps/helloworld created

$ kubectl expose deployment helloworld --type=LoadBalancer --port=8080
service/helloworld exposed

$ kubectl get svc
NAME         TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
helloworld   LoadBalancer   10.98.249.152   127.0.0.1     8080:31508/TCP   7s
kubernetes   ClusterIP      10.96.0.1       <none>        443/TCP          2m43s

http://127.0.0.1:8080 again gives connection reset

I think I tried both options according to https://minikube.sigs.k8s.io/docs/handbook/accessing/#nodeport-access , but in case I'm missing something... please let me know.

[zhan9san]

@babreu-ncsa

The image in doc, k8s.gcr.io/echoserver:1.4 exposed port is 8080, so we expose 8080.

But for your own image, the service exposed port is 80, and you expose 8080.

For NodePort

kubectl expose deployment helloworld --type=NodePort --port=80

For LoadBalancer

kubectl expose deployment helloworld --type= LoadBalancer --port=80

[babreu-ncsa]

Thanks again, @zhan9san ! I didn't notice that and it's probably due to my lack of Kubernetes knowledge. Which is the reason why I'm doing helloworld...
It looks like it sort of worked, but now I get a security connection failed message

Do you have any insights? I appreciate your time!

[zhan9san]

I am not sure you have to use https.

Could you tried http like doc says.

[babreu-ncsa]

@zhan9san fantastic!! It worked!! Thank you very much!!

[2Shaun]

and for exposing multiple ports, separate them by comma, eg; minikube start --ports=30000:30000,32000:32000

@leizhangcnnz

This comma separated list worked after rebuilding the minikube container, but not before. I see Restarting existing docker container for "minikube" ... in your log.

[kiterd2592]

Hi @marlon-sousa

This issue is similar to #9404 A custom service is required to be published on localhost/MacOS.

1. Expose specific port which app listens on. [Host Port]:[NodePort in Kubernetes Cluster]

minikube start --driver=docker --ports=30080:30080

2. Create Service

kubectl apply -f test.yml

test.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-deployment
spec:
  selector:
    matchLabels:
      app: metrics
      department: engineering
  replicas: 1
  template:
    metadata:
      labels:
        app: metrics
        department: engineering
    spec:
      containers:
      - name: hello
        image: "gcr.io/google-samples/hello-app:2.0"
        env:
        - name: "PORT"
          value: "8080"

---
apiVersion: v1
kind: Service
metadata:
  name: my-np-service
spec:
  type: NodePort
  selector:
    app: metrics
    department: engineering
  ports:
  - protocol: TCP
    port: 8080
    nodePort: 30080

3. Verify Service

~/Source/k8s-test/svc ❯ docker port minikube                                                                                                         12:22:42
22/tcp -> 127.0.0.1:61438
2376/tcp -> 127.0.0.1:61439
30080/tcp -> 0.0.0.0:30080
32443/tcp -> 127.0.0.1:61440
5000/tcp -> 127.0.0.1:61441
8443/tcp -> 127.0.0.1:61442
~/Source/k8s-test/svc ❯ kubectl get svc                                                                                                              12:22:46
NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)          AGE
kubernetes      ClusterIP   10.96.0.1      <none>        443/TCP          5m3s
my-np-service   NodePort    10.104.99.25   <none>        8080:30080/TCP   4m48s
~/Source/k8s-test/svc ❯ curl http://127.0.0.1:30080                                                                                                  12:22:52
Hello, world!
Version: 2.0.0
Hostname: my-deployment-6ccc959b54-p4wst
~/Source/k8s-test/svc ❯ minikube ssh                                                                                                                 12:22:59
Last login: Mon Apr 26 04:19:34 2021 from 192.168.49.1
docker@minikube:~$ curl http://127.0.0.1:30080
Hello, world!
Version: 2.0.0
Hostname: my-deployment-6ccc959b54-p4wst

@afbjorklund This issue brings me back to considering whether #11070 is necessary. It seems --ports 8443:8443 can expose apiserver as well.

how to do it with multinode cluster

[jhselvik]

@nour-karoui's Reply helped me figure this out on my M1 MBP.

for m1 users, when starting minikube run this command

minikube start --ports=port-target:node-port

for eg; minikube start --ports=30000:30000

and for exposing multiple ports, separate them by comma, eg; minikube start --ports=30000:30000,32000:32000

and now you access the pod via: http://localhost:30000

For me, the gotcha was that you have to do this the first time you start a minikube cluster with the docker driver, otherwise the ports aren't actually exposed. Once I stopped, deleted, and created the minikube cluster specifying the --ports I was able to access services in the cluster with localhost.

[israfh]

In Mac with minikube you can use this command:

minikube service apache1 --url

where apache1 is the name of your service.

And It show ip and port which you could use in a browser

[viswa2]

After starting the minikube by using as below. port is not open. Can any one suggest how to solve this.

minikube start --driver=docker --ports=30100:30100
😄 minikube v1.30.1 on Ubuntu 22.04 (amd64)
✨ Using the docker driver based on existing profile
👍 Starting control plane node minikube in cluster minikube
🚜 Pulling base image ...
🏃 Updating the running docker "minikube" container ...
🐳 Preparing Kubernetes v1.26.3 on Docker 23.0.2 ...
▪ apiserver.service-node-port-range=32760-32767
🔎 Verifying Kubernetes components...
▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟 Enabled addons: storage-provisioner, default-storageclass
💡 kubectl not found. If you need it, try: 'minikube kubectl -- get pods -A'
🏄 Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

docker port minikube
2376/tcp -> 127.0.0.1:49156
32443/tcp -> 127.0.0.1:49153
5000/tcp -> 127.0.0.1:49155
8443/tcp -> 127.0.0.1:49154
22/tcp -> 127.0.0.1:49157

[tennessine]

kubectl get services

NAME               TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)          AGE
client-node-port   NodePort    10.99.148.87   <none>        3050:31515/TCP   39m
kubernetes         ClusterIP   10.96.0.1      <none>        443/TCP          31h

minikube service client-node-port --url

http://127.0.0.1:53414
❗  Because you are using a Docker driver on darwin, the terminal needs to be open to run it.

open http://127.0.0.1:53414 in your browser

[viswa2]

Hello @tennessine

Tried as suggested but find the details below.

minikube service client-node-port --url

❌ Exiting due to SVC_NOT_FOUND: Service 'client-node-port' was not found in 'default' namespace.
You may select another namespace by using 'minikube service client-node-port -n '. Or list out all the services using 'minikube service list'

viswa@:/opt/k8s-demo$ minikube service list
|-------------|----------------|--------------|---------------------------|
| NAMESPACE | NAME | TARGET PORT | URL |
|-------------|----------------|--------------|---------------------------|
| default | kubernetes | No node port | |
| default | mongo-service | No node port | |
| default | webapp-service | 3000 | http://192.168.49.2:32760 |
| kube-system | kube-dns | No node port | |
|-------------|----------------|--------------|---------------------------|
viswa@:/opt/k8s-demo$ minikube service client-node-port -n default

❌ Exiting due to SVC_NOT_FOUND: Service 'client-node-port' was not found in 'default' namespace.
You may select another namespace by using 'minikube service client-node-port -n '. Or list out all the services using 'minikube service list'

unfortunately this url is also not working (http://192.168.49.2:32760)

[star-stanly95]

you can use docker desktop NodePort service. Once you deploy your service .yaml file in your cluser follow these steps:

1. kubectl get services, find type NordPort check the port number anything greater than 30000 and note that port
2. run ipconfig on your powershell window. Get your host ipv4 address that is your external ip address as your running this cluster in your local machine
3. Final url : http://YOUR_LOCAL_MACHINE_IPV4ADDRESS_AS_IN_STEP2:STEP1_PORT_NUMBER/YOUR_DEFAULT_URI
4. Safer side open a new inbound tcp firewall port range starting from 30000-32767

whoever using minikube, plz run this command minikube service your-service-name --url
Sample output: http://192.168:99.4:30000

Note: I have pasted here my service file for your reference with minimal self explanatory

apiVersion: v1
kind: Service
metadata:
name: book-api-service
spec:
type: NodePort
selector:
app: bookapi
# app.kubernetes.io/name: bookapi
ports:
- protocol: "TCP"
# Port accessible inside cluster, this is your service port number
port: 80
# Port to forward to inside the pod/container
targetPort: 80
# Port accessible outside cluster
nodePort: 30000