when CLUSTER-IP is internal to cluster network, then why I am able to ping one of the cluster IP service from host/node where k8s installed. Have a look at ip 10.101.210.88 which is a cluster-ip and as per definition it must be only reachable from any other pod only but still I can reach it from my Ubuntu host/node machine
/root#kgs
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 16d
kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 16d
ricinfra service-tiller-ricxapp ClusterIP 10.98.94.194 <none> 44134/TCP 7d7h
ricplt aux-entry ClusterIP 10.105.149.143 <none> 80/TCP,443/TCP 7d7h
ricplt r4-influxdb-influxdb2 ClusterIP 10.110.14.243 <none> 80/TCP 7d7h
ricplt r4-infrastructure-kong-proxy NodePort 10.107.12.178 <none> 32080:32080/TCP,32443:32443/TCP 7d7h
ricplt r4-infrastructure-prometheus-alertmanager ClusterIP 10.104.86.76 <none> 80/TCP 7d7h
ricplt r4-infrastructure-prometheus-server ClusterIP 10.102.224.176 <none> 80/TCP 7d7h
ricplt service-ricplt-a1mediator-http ClusterIP 10.105.45.1 <none> 10000/TCP 7d7h
ricplt service-ricplt-a1mediator-rmr ClusterIP 10.108.188.147 <none> 4561/TCP,4562/TCP 7d7h
ricplt service-ricplt-alarmmanager-http ClusterIP 10.111.239.130 <none> 8080/TCP 7d7h
ricplt service-ricplt-alarmmanager-rmr ClusterIP 10.106.30.195 <none> 4560/TCP,4561/TCP 7d7h
ricplt service-ricplt-appmgr-http ClusterIP 10.110.110.91 <none> 8080/TCP 7d7h
ricplt service-ricplt-appmgr-rmr ClusterIP 10.110.96.28 <none> 4561/TCP,4560/TCP 7d7h
ricplt service-ricplt-dbaas-tcp ClusterIP None <none> 6379/TCP 7d7h
ricplt service-ricplt-e2mgr-http ClusterIP 10.101.210.88 <none> 3800/TCP 7d7h
ricplt service-ricplt-e2mgr-rmr ClusterIP 10.101.245.34 <none> 4561/TCP,3801/TCP 7d7h
ricplt service-ricplt-e2term-prometheus-alpha ClusterIP 10.97.95.213 <none> 8088/TCP 7d7h
ricplt service-ricplt-e2term-rmr-alpha ClusterIP 10.100.36.142 <none> 4561/TCP,38000/TCP 7d7h
ricplt service-ricplt-e2term-sctp-alpha NodePort 10.108.215.136 <none> 36422:32222/SCTP 7d7h
ricplt service-ricplt-o1mediator-http ClusterIP 10.96.196.67 <none> 9001/TCP,8080/TCP,3000/TCP 7d7h
ricplt service-ricplt-o1mediator-tcp-netconf NodePort 10.104.237.252 <none> 830:30830/TCP 7d7h
ricplt service-ricplt-rtmgr-http ClusterIP 10.105.27.42 <none> 3800/TCP 7d7h
ricplt service-ricplt-rtmgr-rmr ClusterIP 10.110.0.158 <none> 4561/TCP,4560/TCP 7d7h
ricplt service-ricplt-submgr-http ClusterIP None <none> 3800/TCP 7d7h
ricplt service-ricplt-submgr-rmr ClusterIP None <none> 4560/TCP,4561/TCP 7d7h
ricplt service-ricplt-vespamgr-http ClusterIP 10.98.139.191 <none> 8080/TCP,9095/TCP 7d7h
ricxapp aux-entry ClusterIP 10.99.152.66 <none> 80/TCP,443/TCP 7d7h
ricxapp service-ricxapp-bouncer-xapp-http ClusterIP 10.99.222.68 <none> 8080/TCP 25h
ricxapp service-ricxapp-bouncer-xapp-rmr ClusterIP 10.97.149.3 <none> 4560/TCP,4561/TCP 25h
ricxapp service-ricxapp-example-http ClusterIP 10.101.14.166 <none> 8080/TCP 2d11h
ricxapp service-ricxapp-example-rmr ClusterIP 10.97.129.85 <none> 4560/TCP,4561/TCP 2d11h
/root#
/root#
/root#ping 10.101.210.88 --------> this is a cluster ip and i am pinging it from my host/node machine
PING 10.101.210.88 (10.101.210.88) 56(84) bytes of data.
64 bytes from 10.101.210.88: icmp_seq=1 ttl=64 time=0.061 ms
64 bytes from 10.101.210.88: icmp_seq=2 ttl=64 time=0.032 ms
^C
--- 10.101.210.88 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1019ms
rtt min/avg/max/mdev = 0.032/0.046/0.061/0.014 ms
/root#
thanks
Yes, you will be able to access the ClusterIP from Kubernetes worker nodes.
When you create the SVC in to Kubernetes with type ClusterIP it assigns the Virtual IP to SVC, Virtual IP address is accessible only within the K8s cluster.
Kubernetes uses the IPTables rules to forward traffic from VirtualIP to the PODs that the service is routing traffic to.
Kubernetes nodes are part of the Cluster they will be able to access the virtual IP. So clusterIp will be accessible from in cluster across from any of worker node but you won't be able to access it from outside of Cluster.
If you really want to go deep understanding the bridge, IP assignment, forwarding you can ref this nice article : https://dustinspecker.com/posts/iptables-how-kubernetes-services-direct-traffic-to-pods/