nginx kubernetes digital-ocean service-node-port-range

Digital Ocean Kubernetes: Nodeport not accessible from browser

I have set up a k8s cluster (1 node cluster) using DOKS. The service is running fine with nodeport config. However, I am unable to access it using http://${NodeIP}:${NodePort} from browsers. I have even tried to add the firewall rule, but i am getting error response from backend while trying to add a new inbound TCP rule. Not a useful error message!

Curl and Telnet are failing as well.

Please find below my dockerfile, deployment and service yaml files.

Dockerfile

FROM nginx:1.21.1
COPY build/ /usr/share/nginx/html
RUN rm /etc/nginx/conf.d/default.conf
COPY nginx/nginx.conf /etc/nginx/conf.d
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]

Service YAML file

kind: Service
apiVersion: v1
metadata:
  name: int
spec:
  type: NodePort
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
      nodePort: 31000
  selector:
    app: int

Deployment YAML

kind: Deployment
apiVersion: apps/v1
metadata:
  name: int
spec:
  replicas: 2
  selector:
    matchLabels:
      app: int
  template:
    metadata:
      labels:
        app: int
    spec:
      containers:
        - name: int
          image: registry.digitalocean.com/xxxxx/int:latest
          imagePullPolicy: Always
          ports:
            - containerPort: 80
      restartPolicy: Always

Kubectl get pods output

root@ast-a1:~# kubectl get pods
NAME                         READY   STATUS    RESTARTS   AGE
int-7cc5445c7-hnwvp      1/1     Running   0          3h14m
int-7cc5445c7-qtr6n      1/1     Running   0          3h14m

Kubectl get svc output

root@ast-a1:~# kubectl get svc
NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
int          NodePort    10.xxx.xx.xx    <none>        80:31000/TCP   152m
kubernetes   ClusterIP   10.xxx.x.x      <none>        443/TCP        3d3h

The response

Am I making a mistake somewhere? I am just trying out DOKS.

EDIT:

Added tracert output.

C:\Users\ck5>tracert 1xx.xx.xx.xxx

Tracing route to 1xx.xx.xx.xxx over a maximum of 30 hops

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     4 ms     2 ms     3 ms  1x.1xx.xx.xx.static-hydrabad.vsnl.net.in [1x.1xx.xx.xx]
  4     *        *        *     Request timed out.
  5    49 ms    52 ms    12 ms  2xx.6x.xxx.xxx.static-bangalore.vsnl.net.in [2xx.xx.xxx.xxx]
  6    13 ms    12 ms   110 ms  1xx.1xx.2xx.15
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.

Solution

Looks like a security group or a firewall issue. Run a traceroute to the destination IP from the machine with your browser.

If it stops at the last hop, it is most likely the security group not allowing connections to your port from the source subnet.

If the traceroute stops in the middle it is more likely a firewall issue.