K
Q

How to access a kubernetes service through https?

6/22/2017

This is my cluster info

kubectl cluster-info
Kubernetes master is running at https://129.146.10.66:6443
Heapster is running at https://129.146.10.66:6443/api/v1/proxy/namespaces/kube-system/services/heapster
KubeDNS is running at https://129.146.10.66:6443/api/v1/proxy/namespaces/kube-system/services/kube-dns

So, I have a service(mysqlbrokerservice) running as NodePort and the configuration looks like this

kubectl describe svc mysqlbrokerservice
Name:                        mysqlbrokerservice
Namespace:                mysqlbroker
Labels:                        <none>
Annotations:                <none>
Selector:                app=mysqlbroker
Type:                        NodePort
IP:                        10.99.194.191
Port:                        mysqlbroker        8080/TCP
NodePort:                mysqlbroker        30000/TCP
Endpoints:                10.244.1.198:8080
Session Affinity:        None
Events:                        <none>

I can access the service through the public IP of the node where the pod is running like this http://129.146.34.181:30000/v2/catalog.

Then what I wanted to see if I can access the service through https. I followed the direction in https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#manually-constructing-apiserver-proxy-urls

I followed the example and used curl to get the resource. Here is the command. 129.146.10.66:6443 is my master ip.

curl -i -H "Accept: application/json" -H "Content-Type: application/json" -X GET  https://129.146.10.66:6443/api/v1/namespaces/mysqlbroker/services/mysqlbrokerservice:8080/proxy/v2/catalog --header "Authorization: Bearer $TOKEN" --insecure
HTTP/1.0 200 Connection established

curl just sits there with no response. I then looked at my pod logs and it does not show that any request received.

Can somebody explain what I am doing wrong here? What's the ideal solution if I want a service to be exposed through https?

-- user686730
kubernetes

Similar Questions

Pod to GCE Instance Networking in GKE
Mounting Azure File Storage in Docker container via Kubernetes
Kubernetes pod having containers of different privileges
Kubernetes Pod fails with CrashLoopBackOff

2 Answers

6/22/2017

The documentation says it's expecting the port name and not number. Have you tried the following?

curl -i -H "Accept: application/json" -H "Content-Type: application/json" -X GET  https://129.146.10.66:6443/api/v1/namespaces/mysqlbroker/services/mysqlbrokerservice:mysqlbroker/proxy/v2/catalog --header "Authorization: Bearer $TOKEN" --insecure
-- kichik
Source: StackOverflow
6/22/2017

If you click any of the URLs provided by kubectl cluster-info you will see that your browser prompts you to accept an insecure TLS connection.

For HTTPs to work for this particular address you will need to buy a TLS certificate issued for the hostname (in this case, the IP address and you can't buy certs for IP addresses). The other option to add Kubernetes cluster's Root Certificate to your computer's Trusted Roots, but that wouldn't make it work on other computers.

So I assume you're just trying to make an application running on Kubernetes accessible to the outside world, via HTTPs:

For that, I recommend actually buying a domain name (or reusing a subdomain), buying a SSL/TLS certificate for that host name, and using an Ingress to configure a load balancer with HTTPs termination. https://kubernetes.io/docs/concepts/services-networking/ingress/#tls (If you're on GKE, Google Load Balancer, otherwise it would configure a local nginx instance to do this task.)

-- AhmetB - Google
Source: StackOverflow