What’s the difference between ClusterIP, NodePort and LoadBalancer service types in Kubernetes

转载来源： What’s the difference between ClusterIP, NodePort and LoadBalancer service types in Kubernetes

QUESTION

Question 1 – I’m reading the documentation and I’m slightly confused with the wording. It says: 问题 1 – 我正在阅读文档，但我对措辞有些困惑。它说：

ClusterIP: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. This is the default ServiceType ClusterIP：在集群内部 IP 上公开服务。选择此值使得服务只能从集群内部访问。这是默认的服务类型

NodePort: Exposes the service on each Node’s IP at a static port (the NodePort). A ClusterIP service, to which the NodePort service will route, is automatically created. You’ll be able to contact the NodePort service, from outside the cluster, by requesting <NodeIP>:<NodePort>. NodePort：在静态端口（NodePort）上公开每个节点 IP 上的服务。 NodePort 服务将路由到的 ClusterIP 服务会自动创建。您将能够通过请求 <NodeIP>:<NodePort> 从集群外部联系 NodePort 服务。

LoadBalancer: Exposes the service externally using a cloud provider’s load balancer. NodePort and ClusterIP services, to which the external load balancer will route, are automatically created. LoadBalancer：使用云提供商的负载均衡器向外部公开服务。外部负载均衡器将路由到的 NodePort 和 ClusterIP 服务是自动创建的。

Does the NodePort service type still use the ClusterIP but just at a different port, which is open to external clients? So in this case is <NodeIP>:<NodePort> the same as <ClusterIP>:<NodePort>? NodePort 服务类型是否仍使用 ClusterIP ，但只是使用不同的端口（对外部客户端开放）？那么在这种情况下 <NodeIP>:<NodePort> 与 <ClusterIP>:<NodePort> 相同吗？

Or is the NodeIP actually the IP found when you run kubectl get nodes and not the virtual IP used for the ClusterIP service type? 或者 NodeIP 实际上是您运行 kubectl get nodes 时找到的IP，而不是用于ClusterIP服务类型的虚拟IP？

ANSWER1

A ClusterIP exposes the following: ClusterIP 公开以下内容：

• spec.clusterIp:spec.ports[*].port

You can only access this service while inside the cluster. It is accessible from its spec.clusterIp port. If a spec.ports[*].targetPort is set it will route from the port to the targetPort. The CLUSTER-IP you get when calling kubectl get services is the IP assigned to this service within the cluster internally. 您只能在集群内部访问此服务。可从其 <​​b0> 端口访问它。如果设置了 spec.ports[*].targetPort ，它将从端口路由到targetPort。调用 kubectl get services 时获得的 CLUSTER-IP 是在集群内部分配给该服务的 IP。

A NodePort exposes the following: NodePort 公开以下内容：

• <NodeIP>:spec.ports[*].nodePort
• spec.clusterIp:spec.ports[*].port

If you access this service on a nodePort from the node’s external IP, it will route the request to spec.clusterIp:spec.ports[*].port, which will in turn route it to your spec.ports[*].targetPort, if set. This service can also be accessed in the same way as ClusterIP. 如果您从节点的外部 IP 在 nodePort 上访问此服务，它将把请求路由到 spec.clusterIp:spec.ports[*].port ，后者又将其路由到您的 spec.ports[*].targetPort （如果设置）。该服务也可以通过与 ClusterIP 相同的方式访问。

Your NodeIPs are the external IP addresses of the nodes. You cannot access your service from spec.clusterIp:spec.ports[*].nodePort. 您的 NodeIP 是节点的外部 IP 地址。您无法从 spec.clusterIp:spec.ports[*].nodePort 访问您的服务。

A LoadBalancer exposes the following: LoadBalancer 公开以下内容：

• spec.loadBalancerIp:spec.ports[*].port
• <NodeIP>:spec.ports[*].nodePort
• spec.clusterIp:spec.ports[*].port

You can access this service from your load balancer’s IP address, which routes your request to a nodePort, which in turn routes the request to the clusterIP port. You can access this service as you would a NodePort or a ClusterIP service as well. 您可以从负载均衡器的 IP 地址访问此服务，该地址将您的请求路由到 nodePort，nodePort 又将请求路由到 clusterIP 端口。您也可以像访问 NodePort 或 ClusterIP 服务一样访问此服务。

ANSWER2

ClusterIP: Services are reachable by pods/services in the Cluster ClusterIP：集群中的 pod/services 可以访问服务 If I make a service called myservice in the default namespace of type: ClusterIP then the following predictable static DNS address for the service will be created: 如果我在类型为 ClusterIP 的默认命名空间中创建名为 myservice 的服务，则将为该服务创建以下可预测的静态 DNS 地址：

myservice.default.svc.cluster.local (or just myservice.default, or by pods in the default namespace just “myservice” will work) myservice.default.svc.cluster.local（或者只是 myservice.default，或者通过默认命名空间中的 pod，只需“myservice”即可工作）

And that DNS name can only be resolved by pods and services inside the cluster. 并且该 DNS 名称只能由集群内的 Pod 和服务解析。

NodePort: Services are reachable by clients on the same LAN/clients who can ping the K8s Host Nodes (and pods/services in the cluster) (Note for security your k8s host nodes should be on a private subnet, thus clients on the internet won’t be able to reach this service) NodePort：同一 LAN 上的客户端/可以 ping K8s 主机节点（以及集群中的 pod/服务）的客户端可以访问服务（注意，为了安全起见，您的 k8s 主机节点应该位于私有子网上，这样互联网上的客户端就可以访问）无法访问此服务） If I make a service called mynodeportservice in the mynamespace namespace of type: NodePort on a 3 Node Kubernetes Cluster. Then a Service of type: ClusterIP will be created and it’ll be reachable by clients inside the cluster at the following predictable static DNS address: 如果我在 3 节点 Kubernetes 集群上的类型为 NodePort 的 mynamespace 命名空间中创建一个名为 mynodeportservice 的服务。然后，将创建 ClusterIP 类型的服务，并且集群内的客户端可以通过以下可预测的静态 DNS 地址访问该服务：

mynodeportservice.mynamespace.svc.cluster.local (or just mynodeportservice.mynamespace) mynodeportservice.mynamespace.svc.cluster.local（或只是 mynodeportservice.mynamespace）

For each port that mynodeportservice listens on a nodeport in the range of 30000 – 32767 will be randomly chosen. 对于 mynodeportservice 在 30000 – 32767 范围内的节点端口上侦听的每个端口，将随机选择。 So that External clients that are outside the cluster can hit that ClusterIP service that exists inside the cluster. Lets say that our 3 K8s host nodes have IPs 10.10.10.1, 10.10.10.2, 10.10.10.3, the Kubernetes service is listening on port 80, and the Nodeport picked at random was 31852. 这样集群外部的外部客户端就可以访问集群内部存在的 ClusterIP 服务。假设我们的 3 个 K8s 主机节点的 IP 分别为 10.10.10.1、10.10.10.2、10.10.10.3，Kubernetes 服务正在侦听端口 80，随机选择的 Nodeport 是 31852。

A client that exists outside of the cluster could visit 10.10.10.1:31852, 10.10.10.2:31852, or 10.10.10.3:31852 (as NodePort is listened for by every Kubernetes Host Node) Kubeproxy will forward the request to mynodeportservice’s port 80. 集群外部的客户端可以访问 10.10.10.1:31852、10.10.10.2:31852 或 10.10.10.3:31852（因为每个 Kubernetes 主机节点都会监听 NodePort）Kubeproxy 会将请求转发到 mynodeportservice 的端口 80。

LoadBalancer: Services are reachable by everyone connected to the internet* (Common architecture is L4 LB is publicly accessible on the internet by putting it in a DMZ or giving it both a private and public IP and k8s host nodes are on a private subnet) LoadBalancer：连接到互联网的每个人都可以访问服务*（常见架构是 L4 LB，可以通过将其放入 DMZ 或为其提供私有和公共 IP，并且 k8s 主机节点位于私有子网上来在互联网上公开访问） (Note: This is the only service type that doesn’t work in 100% of Kubernetes implementations, like bare metal Kubernetes, it works when Kubernetes has cloud provider integrations.) （注意：这是唯一不能在 100% 的 Kubernetes 实现中工作的服务类型，例如裸机 Kubernetes，它在 Kubernetes 具有云提供商集成时工作。）

If you make mylbservice, then a L4 LB VM will be spawned (a cluster IP service, and a NodePort Service will be implicitly spawned as well). This time our NodePort is 30222. the idea is that the L4 LB will have a public IP of 1.2.3.4 and it will load balance and forward traffic to the 3 K8s host nodes that have private IP addresses. 如果您创建 mylbservice，那么将生成一个 L4 LB VM（一个集群 IP 服务，并且还将隐式生成一个 NodePort 服务）。这次我们的 NodePort 是 30222。这个想法是 L4 LB 将有一个公共 IP 1.2.3.4，它将负载均衡并将流量转发到具有私有 IP 地址的 3 个 K8s 主机节点。 (10.10.10.1:30222, 10.10.10.2:30222, 10.10.10.3:30222) and then Kube Proxy will forward it to the service of type ClusterIP that exists inside the cluster. （10.10.10.1:30222、10.10.10.2:30222、10.10.10.3:30222），然后 Kube Proxy 会将其转发到集群内存在的 ClusterIP 类型的服务。

You also asked: Does the NodePort service type still use the ClusterIP? Yes* 您还问：NodePort服务类型还使用ClusterIP吗？是的* Or is the NodeIP actually the IP found when you run kubectl get nodes? Also Yes* 或者 NodeIP 实际上是您运行 kubectl getnodes 时找到的 IP？也可以*

Lets draw a parrallel between Fundamentals: 让我们在基本原理之间进行比较： A container is inside a pod. a pod is inside a replicaset. a replicaset is inside a deployment. 容器位于 Pod 内。 pod 位于副本集中。复制集位于部署内部。 Well similarly: 同样地： A ClusterIP Service is part of a NodePort Service. A NodePort Service is Part of a Load Balancer Service. ClusterIP 服务是 NodePort 服务的一部分。 NodePort 服务是负载均衡器服务的一部分。

In that diagram you showed, the Client would be a pod inside the cluster. 在您展示的图中，客户端将是集群内的一个 Pod。

ANSWER3

Lets assume you created a Ubuntu VM on your local machine. It’s IP address is 192.168.1.104. 假设您在本地计算机上创建了一个 Ubuntu VM。它的IP地址是192.168.1.104。

You login into VM, and installed Kubernetes. Then you created a pod where nginx image running on it. 您登录 VM，并安装 Kubernetes。然后您创建了一个 pod，其中运行 nginx 映像。

1- If you want to access this nginx pod inside your VM, you will create a ClusterIP bound to that pod for example: 1-如果您想访问虚拟机内的此 nginx pod，您将创建一个绑定到该 pod 的 ClusterIP，例如：

$ kubectl expose deployment nginxapp --name=nginxclusterip --port=80 --target-port=8080

Then on your browser you can type ip address of nginxclusterip with port 80, like: 然后在浏览器中输入 nginxclusterip 的 ip 地址和端口 80，例如：

http://10.152.183.2:80

2- If you want to access this nginx pod from your host machine, you will need to expose your deployment with NodePort. For example: 2-如果您想从主机访问此 nginx pod，则需要使用 NodePort 公开您的部署。例如：

$ kubectl expose deployment nginxapp --name=nginxnodeport --port=80 --target-port=8080 --type=NodePort

Now from your host machine you can access to nginx like: 现在，您可以从主机访问 nginx，如下所示：

http://192.168.1.104:31865/

In my dashboard they appear as: 在我的仪表板中，它们显示为：

](https://i.stack.imgur.com/jQnPs.png)

Below is a diagram shows basic relationship. 下图显示了基本关系。

](htt

Sources: 资料来源：

• Kubernetes in Action Kubernetes 的实际应用
• Kubernetes.io Services Kubernetes.io 服务
• Kubernetes Services simply visually explained Kubernetes 服务简单直观地解释

ANSWER4

• Summary: 概括：

  • There are five types of Services: 有五种类型的服务：

    • ClusterIP (default): Internal clients send requests to a stable internal IP address. ClusterIP（默认）：内部客户端将请求发送到稳定的内部 IP 地址。
    • NodePort: Clients send requests to the IP address of a node on one or more nodePort values that are specified by the Service. NodePort：客户端将请求发送到服务指定的一个或多个 NodePort 值上的节点的 IP 地址。
    • LoadBalancer: Clients send requests to the IP address of a network load balancer. LoadBalancer：客户端将请求发送到网络负载均衡器的 IP 地址。
    • ExternalName: Internal clients use the DNS name of a Service as an alias for an external DNS name. 外部名称：内部客户端使用服务的 DNS 名称作为外部 DNS 名称的别名。
    • Headless: You can use a headless service when you want a Pod grouping, but don’t need a stable IP address. Headless：当您需要 Pod 分组但不需要稳定的 IP 地址时，可以使用 Headless 服务。

    The NodePort type is an extension of the ClusterIP type. So a Service of type NodePort has a cluster IP address. NodePort类型是ClusterIP类型的扩展。因此 NodePort 类型的服务有一个集群 IP 地址。

    The LoadBalancer type is an extension of the NodePort type. So a Service of type LoadBalancer has a cluster IP address and one or more nodePort values. LoadBalancer类型是NodePort类型的扩展。因此，LoadBalancer 类型的服务具有一个集群 IP 地址和一个或多个 nodePort 值。

• Illustrate through Image 通过图像来说明

• Details 细节

  • ClusterIP 集群IP

    • ClusterIP is the default and most common service type. ClusterIP 是默认且最常见的服务类型。

    • Kubernetes will assign a cluster-internal IP address to ClusterIP service. This makes the service only reachable within the cluster. Kubernetes 将为 ClusterIP 服务分配一个集群内部 IP 地址。这使得该服务只能在集群内访问。

    • You cannot make requests to service (pods) from outside the cluster. You can optionally set cluster IP in the service definition file. 您无法从集群外部向服务（Pod）发出请求。您可以选择在服务定义文件中设置集群 IP。

    • Use Cases

      用例

      • Inter-service communication within the cluster. For example, communication between the front-end and back-end components of your app. 集群内的服务间通信。例如，应用程序的前端和后端组件之间的通信。

  • NodePort 节点端口

    • NodePort service is an extension of ClusterIP service. A ClusterIP Service, to which the NodePort Service routes, is automatically created. NodePort服务是ClusterIP服务的扩展。 NodePort 服务路由到的 ClusterIP 服务会自动创建。

    • It exposes the service outside of the cluster by adding a cluster-wide port on top of ClusterIP. 它通过在 ClusterIP 之上添加集群范围的端口来向集群外部公开服务。

    • NodePort exposes the service on each Node’s IP at a static port (the NodePort). Each node proxies that port into your Service. So, external traffic has access to fixed port on each Node. It means any request to your cluster on that port gets forwarded to the service. NodePort 在静态端口（NodePort）上公开每个节点 IP 上的服务。每个节点都会将该端口代理到您的服务中。因此，外部流量可以访问每个节点上的固定端口。这意味着该端口上对集群的任何请求都会转发到该服务。

    • You can contact the NodePort Service, from outside the cluster, by requesting :. 您可以通过请求 : 从集群外部联系 NodePort 服务。

    • Node port must be in the range of 30000–32767. Manually allocating a port to the service is optional. If it is undefined, Kubernetes will automatically assign one. 节点端口必须在 30000–32767 范围内。手动为服务分配端口是可选的。如果未定义，Kubernetes 会自动分配一个。

    • If you are going to choose node port explicitly, ensure that the port was not already used by another service. 如果您要显式选择节点端口，请确保该端口尚未被其他服务使用。

    • Use Cases

      用例

      • When you want to enable external connectivity to your service. Using a NodePort gives you the freedom to set up your own load balancing solution, to configure environments that are not fully supported by 当您想要启用与您的服务的外部连接时。使用 NodePort 让您可以自由地设置自己的负载平衡解决方案，配置不完全支持的环境
      • Kubernetes, or even to expose one or more nodes’ IPs directly. Prefer to place a load balancer above your nodes to avoid node failure. Kubernetes，甚至直接暴露一个或多个节点的IP。最好在节点上方放置负载均衡器以避免节点故障。

  • LoadBalancer 负载均衡器

    • LoadBalancer service is an extension of NodePort service. NodePort and ClusterIP Services, to which the external load balancer routes, are automatically created. LoadBalancer 服务是 NodePort 服务的扩展。外部负载均衡器路由到的 NodePort 和 ClusterIP 服务是自动创建的。

    • It integrates NodePort with cloud-based load balancers. 它将 NodePort 与基于云的负载均衡器集成。

    • It exposes the Service externally using a cloud provider’s load balancer. 它使用云提供商的负载均衡器向外部公开服务。

    • Each cloud provider (AWS, Azure, GCP, etc) has its own native load balancer implementation. The cloud provider will create a load balancer, which then automatically routes requests to your Kubernetes Service. 每个云提供商（AWS、Azure、GCP 等）都有自己的本机负载均衡器实现。云提供商将创建一个负载均衡器，然后自动将请求路由到您的 Kubernetes 服务。

    • Traffic from the external load balancer is directed at the backend Pods. The cloud provider decides how it is load balanced. 来自外部负载均衡器的流量定向到后端 Pod。云提供商决定如何进行负载平衡。

    • The actual creation of the load balancer happens asynchronously. 负载均衡器的实际创建是异步发生的。

    • Every time you want to expose a service to the outside world, you have to create a new LoadBalancer and get an IP address. 每次你想向外界公开一个服务时，你都必须创建一个新的LoadBalancer并获取一个IP地址。

    • Use Cases

      用例

      • When you are using a cloud provider to host your Kubernetes cluster. 当您使用云提供商来托管 Kubernetes 集群时。

  • ExternalName 外部名称

    • Services of type ExternalName map a Service to a DNS name, not to a typical selector such as my-service. ExternalName 类型的服务将服务映射到 DNS 名称，而不是典型的选择器（例如 my-service）。

    • You specify these Services with the spec.externalName parameter. It maps the Service to the contents of the externalName field (e.g. foo.bar.example.com), by returning a CNAME record with its value. 您可以使用 spec.externalName 参数指定这些服务。它通过返回 CNAME 记录及其值，将服务映射到 externalName 字段的内容（例如 foo.bar.example.com）。

    • No proxying of any kind is established. 不建立任何类型的代理。

    • Use Cases

      用例

      • This is commonly used to create a service within Kubernetes to represent an external datastore like a database that runs externally to Kubernetes. 这通常用于在 Kubernetes 中创建服务来表示外部数据存储，例如在 Kubernetes 外部运行的数据库。
      • You can use that ExternalName service (as a local service) when Pods from one namespace talk to a service in another namespace. 当一个命名空间中的 Pod 与另一命名空间中的服务通信时，您可以使用该ExternalName 服务（作为本地服务）。

ANSWER5

1. clusterIP : IP accessible inside cluster (across nodes within d cluster). clusterIP ：集群内部可访问的 IP（跨 d 集群内的节点）。

nodeA : pod1 => clusterIP1, pod2 => clusterIP2
nodeB : pod3 => clusterIP3.

pod3 can talk to pod1 via their clusterIP network. pod3 可以通过其 clusterIP 网络与 pod1 通信。

1. nodeport : to make pods accessible from outside the cluster via nodeIP:nodeport, it will create/keep clusterIP above as its clusterIP network. nodeport ：为了使 Pod 可以通过 nodeIP:nodeport 从集群外部访问，它将在上面创建/保留 clusterIP 作为其 clusterIP 网络。

nodeA => nodeIPA : nodeportX
nodeB => nodeIPB : nodeportX

you might access service on pod1 either via nodeIPA:nodeportX OR nodeIPB:nodeportX. Either way will work because kube-proxy (which is installed in each node) will receive your request and distribute it [redirect it(iptables term)] across nodes using clusterIP network. 您可以通过nodeIPA:nodeportX 或nodeIPB:nodeportX 访问pod1 上的服务。无论哪种方式都可以工作，因为 kube-proxy（安装在每个节点中）将接收您的请求并使用 clusterIP 网络在节点之间分发[重定向它（iptables 术语）]。

1. Load balancer 负载均衡器

basically just putting LB in front, so that inbound traffic is distributed to nodeIPA:nodeportX and nodeIPB:nodeportX then continue with the process flow number 2 above. 基本上只是将LB放在前面，以便将入站流量分发到nodeIPA：nodeportX和nodeIPB：nodeportX，然后继续上面的流程2。