Accessing apps

How to access applications running within minikube

There are two major categories of services in Kubernetes:

  • NodePort
  • LoadBalancer

minikube supports either. Read on!

NodePort access

A NodePort service is the most basic way to get external traffic directly to your service. NodePort, as the name implies, opens a specific port, and any traffic that is sent to this port is forwarded to the service.

Getting the NodePort using the service command

We also have a shortcut for fetching the minikube IP and a service’s NodePort:

  1. minikube service --url <service-name>

Getting the NodePort using kubectl

The minikube VM is exposed to the host system via a host-only IP address, that can be obtained with the minikube ip command. Any services of type NodePort can be accessed over that IP address, on the NodePort.

To determine the NodePort for your service, you can use a kubectl command like this (note that nodePort begins with lowercase n in JSON output):

  1. kubectl get service <service-name> --output='jsonpath="{.spec.ports[0].nodePort}"'

Increasing the NodePort range

By default, minikube only exposes ports 30000-32767. If this does not work for you, you can adjust the range by using:

  1. minikube start --extra-config=apiserver.service-node-port-range=1-65535

This flag also accepts a comma separated list of ports and port ranges.


LoadBalancer access

A LoadBalancer service is the standard way to expose a service to the internet. With this method, each service gets its own IP address.

Using minikube tunnel

Services of type LoadBalancer can be exposed via the minikube tunnel command. It must be run in a separate terminal window to keep the LoadBalancer running. Ctrl-C in the terminal can be used to terminate the process at which time the network routes will be cleaned up.

Example

Run tunnel in a separate terminal

it will ask for password.

  1. minikube tunnel

minikube tunnel runs as a process, creating a network route on the host to the service CIDR of the cluster using the cluster’s IP address as a gateway. The tunnel command exposes the external IP directly to any program running on the host operating system.

tunnel output example

  1. Password:
  2. Status:
  3. machine: minikube
  4. pid: 39087
  5. route: 10.96.0.0/12 -> 192.168.64.194
  6. minikube: Running
  7. services: [hello-minikube]
  8. errors:
  9. minikube: no errors
  10. router: no errors
  11. loadbalancer emulator: no errors
  12. ...
  13. ...
  14. ...

Create a kubernetes deployment

  1. kubectl create deployment hello-minikube1 --image=k8s.gcr.io/echoserver:1.4

Create a kubernetes service type LoadBalancer

  1. kubectl expose deployment hello-minikube1 --type=LoadBalancer --port=8080

Check external IP

  1. kubectl get svc
  1. $ kc get svc
  2. NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
  3. hello-minikube1 LoadBalancer 10.96.184.178 10.96.184.178 8080:30791/TCP 40s

note that without minikube tunnel, kubernetes would be showing external IP as “pending”.

Try in your browser

open in your browser (make sure there is no proxy set)

  1. http://REPLACE_WITH_EXTERNAL_IP:8080

Each service will get its own external ip.


DNS resolution (experimental)

If you are on macOS, the tunnel command also allows DNS resolution for Kubernetes services from the host.

NOTE: docker driver doesn’t support DNS resolution

Cleaning up orphaned routes

If the minikube tunnel shuts down in an abrupt manner, it may leave orphaned network routes on your system. If this happens, the ~/.minikube/tunnels.json file will contain an entry for that tunnel. To remove orphaned routes, run:

  1. minikube tunnel --cleanup

NOTE: --cleanup flag’s default value is true.

Avoiding password prompts

Adding a route requires root privileges for the user, and thus there are differences in how to run minikube tunnel depending on the OS. If you want to avoid entering the root password, consider setting NOPASSWD for “ip” and “route” commands:

https://superuser.com/questions/1328452/sudoers-nopasswd-for-single-executable-but-allowing-others

Access to ports <1024 on Windows requires root permission

If you are using Docker driver on Windows, there is a chance that you have an old version of SSH client you might get an error like - Privileged ports can only be forwarded by root. or you might not be able to access the service even after minikube tunnel if the access port is less than 1024 but for ports greater than 1024 works fine.

In order to resolve this, ensure that you are running the latest version of SSH client. You can install the latest version of the SSH client on Windows by running the following in a Command Prompt with an Administrator Privileges (Requires chocolatey package manager)

  1. choco install openssh

The latest version (OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5) which is available on Windows 10 by default doesn’t work. You can track the issue with this over here - https://github.com/PowerShell/Win32-OpenSSH/issues/1693

Last modified February 13, 2021: Accessing apps documentation follows convention for dynamic values (eb079e66b)