Overview

Use NodePorts to expose the service nodePort on all nodes in the cluster.

Using NodePorts requires additional port resources.

A node port exposes the service on a static port on the node IP address.

NodePorts are in the 30000-32767 range by default, which means a NodePort is unlikely to match a service’s intended port (for example, 8080 may be exposed as 31020).

The administrator must ensure the external IPs are routed to the nodes and local firewall rules on all nodes allow access to the open port.

NodePorts and external IPs are independent and both can be used concurrently.

Administrator Prerequisites

Before starting this procedure, the administrator must:

  • Set up the external port to the cluster networking environment so that requests can reach the cluster. For example, names can be configured into DNS to point to specific nodes or other IP addresses in the cluster. The DNS wildcard feature can be used to configure a subset of names to an IP address in the cluster. This allows the users to set up routes within the cluster without further administrator attention.

  • Make sure that the local firewall on each node permits the request to reach the IP address.

  • Configure the OpenShift Container Platform cluster to use an Identity Provider that allows appropriate user access.

  • Make sure there is at least one user with cluster admin role. To add this role to a user, run the following command:

    oadm policy add-cluster-role-to-user cluster-admin username
  • Have an OpenShift Container Platform cluster with at least one master and at least one node and a system outside the cluster that has network access to the cluster. This procedure assumes that the external system is on the same subnet as the cluster. The additional networking required for external systems on a different subnet is out-of-scope for this topic.

Defining the Public IP Range

The first step in allowing access to a service is to define an external IP address range in the master configuration file:

  1. Log into OpenShift Container Platform as a user with the cluster admin role.

    $ oc login
    Authentication required (openshift)
    Username: admin
    Password:
    Login successful.
    
    You have access to the following projects and can switch between them with 'oc project <projectname>':
      * default
    Using project "default".
  2. Configure the externalIPNetworkCIDRs parameter in the /etc/origin/master/master-config.yaml file as shown:

    networkConfig:
      externalIPNetworkCIDRs:
      - <ip_address>/<cidr>

    For example:

    networkConfig:
      externalIPNetworkCIDRs:
      - 192.168.120.0/24
  3. Restart the OpenShift Container Platform master service to apply the changes.

    # systemctl restart atomic-openshift-master-api atomic-openshift-master-controllers

The IP address pool must terminate at one or more nodes in the cluster.

Configuring the Service

You specify a port number for the nodePort when you create or modify a service. If you didn’t manually specify a port, system will allocate one for you.

  1. Log into the master node.

  2. If the project you want to use does not exist, create a new project for your service:

    $ oc new-project <project_name>

    For example:

    $ oc new-project external-ip
  3. Edit the service definition to specify spec.type:NodePort and optionally specify a port in the in the 30000-32767 range.

    apiVersion: v1
    kind: Service
    metadata:
      name: mysql
      labels:
        name: mysql
    spec:
      type: NodePort
      ports:
        - port: 3036
          nodePort: 30036
          name: http
      selector:
        name: mysql
  4. Execute the following command to create the service:

    $ oc new-app <file-name>

    For example:

    oc new-app mysql.yaml
  5. Execute the following command to see that the new service is created:

    oc get svc
    
    NAME             CLUSTER_IP       EXTERNAL_IP   PORT(S)                      AGE
    mysql            172.30.89.219    <nodes>       3036:30036/TCP               2m

    Note that the external IP is listed as <nodes> and the node ports are listed.

You should be able to access the service using the <NodeIP>:<NodePort> address.