I want to test externalServices in kubernetes. So , I create an external service pointing to some web site ( gf.dev) :
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
type: ExternalName
externalName: gf.dev
Now I want to test everything works fine :
kubectl run --rm watchpod -it --image arunvelsriram/utils bash
Host seems to do it :
root@watchpod:/# host my-service
my-service.abdelghani.svc.cluster.local is an alias for gf.dev.
gf.dev has address 172.67.213.5
gf.dev has address 104.21.77.239
gf.dev has IPv6 address 2606:4700:3030::ac43:d505
gf.dev has IPv6 address 2606:4700:3037::6815:4def
But curl does not :
root@watchpod:/# curl -I my-service
**HTTP/1.1 403 Forbidden**
Date: Mon, 25 Jan 2021 10:16:00 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 16
**Connection: close**
X-Frame-Options: SAMEORIGIN
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: __cfduid=df4f08d8708a14966ce21d14bdb80a7411611569760; expires=Wed, 24-Feb-21 10:16:00 GMT; path=/; domain=.my-service; HttpOnly; SameSite=Lax
cf-request-id: 07daa4214f00002b29e6157000000001
Server: cloudflare
CF-RAY: 61713c7bb8f02b29-FRA
And root@watchpod:/# curl my-service
error code: 1003root@watchpod:/#
Although I can curl gf.dev from my pod :
root@watchpod:/# curl -I gf.dev
HTTP/1.1 301 Moved Permanently
Date: Mon, 25 Jan 2021 10:26:52 GMT
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Mon, 25 Jan 2021 11:26:52 GMT
Location: https://gf.dev/
cf-request-id: 07daae12280000d4a05e2b9000000001
Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=7Ph5u3ilp58DnRPlhemS%2F1FjPT7qVzUK7wu9%2B5H7PNGez8Tk9BM2SGsFmwU05pGlmBpOr2qni6IQhiJpdgS%2FtmkZpUDS06s%3D"}],"max_age":604800}
NEL: {"max_age":604800,"report_to":"cf-nel"}
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 61714c637be2d4a0-BRU
Any ideas why this hapening?
Thx,
Abdelghani
The gf.dev
domain seems to be using cloudfare. You are hitting the cloudfare 1003 error.
# curl my-service
1003
From https://support.cloudflare.com/hc/en-us/articles/360029779472-Troubleshooting-Cloudflare-1XXX-errors
Error 1003 Access Denied: Direct IP Access Not Allowed
Common cause
A client or browser directly accesses a Cloudflare IP address.
Resolution
Browse to the website domain name in your URL instead of the Cloudflare IP address.
You can reproduce the 403 error by just doing a curl -I 104.21.77.239
which is the IP of gf.dev
returned by your DNS lookup. You can only access the gf.dev
with the domain name gf.dev
and nothing else.