Exposing services
In Go, that looks like this:
http.ListenAndServe(":80", nil)
The above code will bind to all TCP interfaces. Since Kubernetes does support dual-stack IPv4 & IPv6 our services should bind to all interfaces (we do not currently have IPv6 services).
If you must specify an ip address to expose your service on, choosing 0.0.0.0:port
is typically a good choice. What this does can be OS and platform-specific.
Binding to localhost:port
or 127.0.0.1:port
is binding to a local-only interface that constrained to the same "host". In Kubernetes, other containers within the Pod may still communicate with this service AND you may port-forward this container and associated service
(Why?).
This may be preferred in a sidecar pattern where you do not want a container accessible outside a Pod or when you don't want expose your laptop to the cofeeshop wifi but generally, code should not be merged that binds to localhost
or 127.0.0.1
.
How can I port-forward a local only service?
Due to the way that kube-proxy works when you port-forward a pod or a service kube-proxy opens a tunnel to that pod (or a pod that backs that service). This can make debugging why a service is accessible in the pod but not outside of the pod hard to understand.
You can also use kubectl port-forward --address 0.0.0.0
if you need to expose a port-forwarded service outside of your local machine (it defaults to 127.0.0.1
). link :exploding_head:
CI
We also have CI test for this here
References
- https://stackoverflow.com/questions/20778771/what-is-the-difference-between-0-0-0-0-127-0-0-1-and-localhost
- https://serverfault.com/questions/21657/semantics-of-and-0-0-0-0-in-dual-stack-oses/39561#39561
- https://stackoverflow.com/questions/49067160/what-is-the-difference-in-listening-on-0-0-0-080-and-80