How does port publishing from a docker container to a kubernetes pod work?

10/10/2019

While working through the tutorial Get Started, Part 3: Deploying to Kubernetes I stumbled over the Pod template within the deployment definition of the manifest file. There are no ports specified, neither in the pod nor in the container section.

That led me to my initial question: How does the port publishing work from the docker container into the pod?

The following quote sounds like kubernetes obtains an insight into the running container once started and gets the port from the service listening at 0.0.0.0:PORT and maps it to the same port in the pod environment (network namespace).

Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Source

If my assumption goes in the right direction, what does this mean for pods with multiple containers? Does kubernetes only allow containers with internal services listening on different ports? Or is it possible to map the container internal ports to different ports in the pod environment (network namespace)?

According to the following quote, I assume port mapping from container to pod is not possible. Indeed it does not make too much sens to specify two services within two containers with the same ports, just to change them via a mapping immediately following this.

Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Source


UPDATE 2019-10-15

As the following quote states, a docker container does not publish any port to the outside world by default.

By default, when you create a container, it does not publish any of its ports to the outside world. To make a port available to services outside of Docker, or to Docker containers which are not connected to the container’s network, use the --publish or -p flag. Source

That means kubernetes must configuer the docker container running within a pod somehow, so that the container's ports are published to the pod.

Regarding the following quote, is it possible that kubernetes runs the docker containers by using the --network host configuration? Assumed the pod is the docker host in kubernetes.

If you use the host network mode for a container, that container’s network stack is not isolated from the Docker host [...] For instance, if you run a container which binds to port 80 and you use host networking, the container’s application is available on port 80 on the host’s IP address. Source

-- Chris
docker
docker-container
kubernetes
kubernetes-pod

1 Answer

10/10/2019

Containers running in a pod are similar to processes running on a node connected to a network. Pod gets has a network address, and all containers share the same network address. They can talk to each other using localhost.

A container running in a pod can listen to any port on that address. If there are multiple containers running in a pod, they cannot bind to the same port, only one of them can. Note that there is no requirement about publishing those ports. A container can listen to any port, and traffic will be delivered to it if a client connects to that port of the pod.

So, port mapping from container to pod is not possible.

The exposed ports of containers/pods are mainly informational, and tools use them to create resources.

-- Burak Serdar
Source: StackOverflow