Kubernetes ingress <-> service <-> pod IP association example

demo.sh

ace@ace-vm:~/code/ocsp-demo$ kubectl -n ingress-nginx get svc
NAME                                 TYPE           CLUSTER-IP     EXTERNAL-IP     PORT(S)                      AGE
ingress-nginx-controller             LoadBalancer   10.0.14.106    20.193.19.114   80:31377/TCP,443:32598/TCP   3m45s
ingress-nginx-controller-admission   ClusterIP      10.0.117.203   <none>          443/TCP                      3m46s


ace@ace-vm:~/code/ocsp-demo$ kubectl -n ingress-nginx get svc,pod
NAME                                         TYPE           CLUSTER-IP     EXTERNAL-IP     PORT(S)                      AGE
service/ingress-nginx-controller             LoadBalancer   10.0.14.106    20.193.19.114   80:31377/TCP,443:32598/TCP   3m48s
service/ingress-nginx-controller-admission   ClusterIP      10.0.117.203   <none>          443/TCP                      3m49s

NAME                                            READY   STATUS      RESTARTS   AGE
pod/ingress-nginx-admission-create-2llbp        0/1     Completed   0          3m36s
pod/ingress-nginx-admission-patch-pzkpn         0/1     Completed   0          3m36s
pod/ingress-nginx-controller-5cc4589cc8-r788l   1/1     Running     0          3m48s


ace@ace-vm:~/code/ocsp-demo$ kubectl get ing,pod -o wide
NAME                                           HOSTS                    ADDRESS         PORTS     AGE
ingress.extensions/cm-acme-http-solver-kbw7x   tls-ace.alexeldeib.xyz   20.193.19.114   80        103s
ingress.extensions/kuard                       tls-ace.alexeldeib.xyz   20.193.19.114   80, 443   106s

NAME                            READY   STATUS    RESTARTS   AGE     IP            NODE                                NOMINATED NODE   READINESS GATES
pod/cm-acme-http-solver-k69cm   1/1     Running   0          104s    10.240.0.28   aks-nodepool1-25590235-vmss000000   <none>           <none>
pod/debug-84cd59f676-4xjnv      1/1     Running   0          4d12h   10.240.0.35   aks-nodepool1-25590235-vmss000001   <none>           <none>
pod/kuard-cc7d6b554-nf67x       1/1     Running   0          3m29s   10.240.0.47   aks-nodepool1-25590235-vmss000001   <none>           <none>


ace@ace-vm:~/code/ocsp-demo$ kubectl describe ing kuard
Name:             kuard
Namespace:        default
Address:          20.193.19.114
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
  tls-ace terminates tls-ace.alexeldeib.xyz
Rules:
  Host                    Path  Backends
  ----                    ----  --------
  tls-ace.alexeldeib.xyz  
                          /   kuard:80 (10.240.0.47:8080)
Annotations:              cert-manager.io/issuer: letsencrypt-prod
                          kubernetes.io/ingress.class: nginx
Events:
  Type    Reason             Age   From                      Message
  ----    ------             ----  ----                      -------
  Normal  CREATE             111s  nginx-ingress-controller  Ingress default/kuard
  Normal  CreateCertificate  111s  cert-manager              Successfully created Certificate "tls-ace"
  Normal  UPDATE             76s   nginx-ingress-controller  Ingress default/kuard
 
 
ace@ace-vm:~/code/ocsp-demo$ kubectl describe ing kuard
Name:             kuard
Namespace:        default
Address:          10.0.44.154
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
  tls-ace terminates tls-ace.alexeldeib.xyz
Rules:
  Host                    Path  Backends
  ----                    ----  --------
  tls-ace.alexeldeib.xyz  
                          /   kuard:80 (10.240.0.47:8080)
Annotations:              cert-manager.io/issuer: letsencrypt-prod
                          kubernetes.io/ingress.class: nginx
Events:
  Type    Reason             Age                From                      Message
  ----    ------             ----               ----                      -------
  Normal  CREATE             7m38s              nginx-ingress-controller  Ingress default/kuard
  Normal  CreateCertificate  7m38s              cert-manager              Successfully created Certificate "tls-ace"
  Normal  UPDATE             8s (x2 over 7m3s)  nginx-ingress-controller  Ingress default/kuard

When executing kubectl describe ing kuard, the address shown at the top is the service IP for the ingress controller. In this case it's a load balancer IP, so it's a public IP. If the service of the nginx-ingress-controller were a clusterIP service, then this IP would be an in-cluster IP. It matches whatever the corresponding ingress controller service is. In the very last output, I deleted the service type=LoadBalancer and replaced it with a service type=ClusterIP. You can see the IP change on the Ingress resource as a result.

The nginx-ingress controller doesn't use the service endpoints. This is optional. Using pod endpoints directly enables faster reactivity and avoids redirecting requests through the iptables layer by sending them directly to the pod endpoint. In the example output, you can see kuard:80 (10.240.0.47:8080) is the pod IP for the kuard pod:

pod/kuard-cc7d6b554-nf67x       1/1     Running   0          3m29s   10.240.0.47   aks-nodepool1-25590235-vmss000001   <none>           <none>