services running on minikube cluster are inaccessible

[alexkim-avant]

What Happened?

Hello,

I am running into an issue where after deploying my kubernetes application and service to the minikube cluster, I cannot access them through the command minikube service <service-name>.

Versions:
Docker client 20.10.13
Docker Desktop 4.6.0
minikube v1.25.2
skaffold v1.36.1
macOS Catalina v10.15.7

Steps:
Run minikube start --driver=docker --kubernetes-version=v1.21.10

😄  minikube v1.25.2 on Darwin 10.15.7
✨  Using the docker driver based on user configuration
👍  Starting control plane node minikube in cluster minikube
🚜  Pulling base image ...
🔥  Creating docker container (CPUs=2, Memory=7911MB) ...
🐳  Preparing Kubernetes v1.21.10 on Docker 20.10.12 ...
    ▪ kubelet.housekeeping-interval=5m
    ▪ Generating certificates and keys ...
    ▪ Booting up control plane ...
    ▪ Configuring RBAC rules ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

Run skaffold dev with the following service.yaml file:

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  type: NodePort
  ports:
    - port: 9000
      targetPort: 9000
      protocol: TCP
      name: web
  selector:
    app: my-app

Run minikube service my-service:

🏃  Starting tunnel for service my-service.
🎉  Opening service default/my-service in default browser...
❗  Because you are using a Docker driver on darwin, the terminal needs to be open to run it. 

This step opens my browser and attempts to connect to the URL http://192.168.49.2:30897/. However, this loads forever and doesn't actually connect me to my app.

Run minikube service list while tunnel is open:

|-------------|------------------------|--------------|-----|
|  NAMESPACE  |          NAME          | TARGET PORT  | URL |
|-------------|------------------------|--------------|-----|
| default     | my-service             | web/9000     |     |
| default     | kubernetes             | No node port |
| default     | postgres-postgresql    | No node port |
| default     | postgres-postgresql-hl | No node port |
| kube-system | kube-dns               | No node port |
|-------------|------------------------|--------------|-----|

shows that there is no URL.

Run docker port minikube while the tunnel is open:

32443/tcp -> 127.0.0.1:65196
5000/tcp -> 127.0.0.1:65197
8443/tcp -> 127.0.0.1:65198
22/tcp -> 127.0.0.1:65194
2376/tcp -> 127.0.0.1:65195

The application port 30897 isn't listed as an accessible port for the docker container running minikube.

If I SSH into the minikube container with minikube ssh and use curl to hit my service, I get a response:

docker@minikube:~$ curl http://192.168.49.2:30897/ping
"pong"
docker@minikube:~$ curl http://localhost:30897/ping
"pong"

So in summary, my service is accessible within the minikube docker container, but running minikube service my-service does not actually connect me to my service.

Attach the log file

log.txt

Operating System

macOS (Default)

Driver

Docker

[zhan9san]

Hi @alexkim-avant

It seems both UI and document need to be improved. I am glad to work on it.

The bridge network in mac is different from in Linux, #7332 (comment)

Here is a workaround for your case

The tunnel is created between your Mac and Cluster IP instead of Node IP.

1. Get the service cluster IP

   It's 10.101.93.174.

   $. kubectl get svc -o wide
   NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE   SELECTOR
   kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP          18m   <none>
   web          NodePort    10.101.93.174   <none>        8080:32662/TCP   16m   app=web
   

2. Get the tunnel port on your Mac

   It's 54725(which is before cluster IP).

   $ ps -ef | grep ssh
   1195290332 75035 75010   0  9:18AM ttys010    0:00.01 ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -N [email protected] -p 53921 -i /Users/xxx/.minikube/machines/minikube/id_rsa -L 54725:10.101.93.174:8080

3. Access it from localhost

   $ curl http://127.0.0.1:54725
   Hello, world!
   Version: 1.0.0
   Hostname: web-746c8679d4-pw4gh
   

BTW, if you are using ingress, please refer to #12089

[alexkim-avant]

Hi @zhan9san,

Thanks for the response. A few follow up questions:

1. Does the service type need to be NodePort if we're tunneling to the ClusterIP?
2. Do I still need to run minikube service <service-name> to connect to the service?

[zhan9san]

Does the service type need to be NodePort if we're tunneling to the ClusterIP?

Technically, no need.

I think it is a bug. IMHO, if the service type is NodePort, the tunnel port should be .spec.nodePort, but currently, the tunnel port is .spec.targetPort. I'll try to fix it later, if it is verified.

Keep in mind, publishing-services-service-types

NodePort: Exposes the Service on each Node's IP at a static port (the NodePort). A ClusterIP Service, to which the NodePort Service routes, is automatically created. You'll be able to contact the NodePort Service, from outside the cluster, by requesting :.

Do I still need to run minikube service to connect to the service?

Yes. As I mentioned before, due to the limited bridge network on MacOS, a tunnel is required to access the service inside Kubernetes cluster. And the tunnel is created by minikube service <service-name> --url

If the --url is missing, this command will try to open default web browser to access http://<NodeIP>:<NodePort> if the service type is NodePort.

In short, once the culsterIP type service is created, you can run minikube service <service-name> --url to create a tunnel, and this command will hang until you enter ctrl + c

The available URL would be http://127.0.0.1:<PORT>, where the PORT can be found by ps -ef | grep ssh.

I'll submit another PR to output this URL(http://127.0.0.1:)

[zhan9san]

I just noticed the output issue has been fixed in codebase.

❯ ./minikube service web
|-----------|------|-------------|---------------------------|
| NAMESPACE | NAME | TARGET PORT |            URL            |
|-----------|------|-------------|---------------------------|
| default   | web  |        8080 | http://192.168.49.2:30076 |
|-----------|------|-------------|---------------------------|
🏃  Starting tunnel for service web.
|-----------|------|-------------|------------------------|
| NAMESPACE | NAME | TARGET PORT |          URL           |
|-----------|------|-------------|------------------------|
| default   | web  |             | http://127.0.0.1:65455 |
|-----------|------|-------------|------------------------|
🎉  Opening service default/web in default browser...
❗  Because you are using a Docker driver on darwin, the terminal needs to be open to run it.

[alexkim-avant]

I have minikube v1.25.2 which was the most recent version when I installed it two days ago. Should I try and reinstall?

[zhan9san]

No. The change was only merged into master branch, and it may be in next release. Certainly, you can compile it by yourself.

BTW, the change only fixes the UI issue, showing some friendly output. You can get the output following what I said before.

[ArangoGutierrez]

Same here, this is a hot fix

kubectl -n kube-system rollout restart deployment coredns

after that services can discover and be accessed.

[spowelljr]

Hi @alexkim-avant, as @zhan9san pointed out that issue was resolved with #13756. You can download the binary with the fix from this comment (#13736 (comment)) if you want to try it and see if it resolves you issue, thanks!

[ArangoGutierrez]

I have tried master branch, and can say it works now. no need to restart coredns to get services running

minikube version: v1.25.2
commit: 2b6319258bba0d295bd6bd0d4900fe1646c8be9d

[alexkim-avant]

Thank you! I will close the issue now.

[ArangoGutierrez]

This is back broken
/reopen

[ArangoGutierrez]

/open

[k8s-ci-robot]

@ArangoGutierrez: Reopened this issue.

In response to this:

This is back broken
/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ArangoGutierrez]

on current master, I had to restart the dns to fix this

[spencer-nicol]

I'm running minikube v1.25.2 with Docker v4.8.1 and the ingress addon is not accessible. I see this and other issues related to it have been raised for about 2 years. Is there any movement on this for the docker driver?

[zhan9san]

Hi @spencer-nicol

Could you please verify whether #13806 address this issue?

[spencer-nicol]

Hi @spencer-nicol

Could you please verify whether #13806 address this issue?

Using the tunnel does allow me to connect to the services, alternatively HyperKit also allows me to do this without tunneling. Is this fundamentally a Docker, MacOS, or virtualization issue? I'm curious if there will eventually be native support?

[zhan9san]

Is this fundamentally a Docker, MacOS, or virtualization issue?

It's Docker and MacOS issue. #7332 (comment) and per-container-ip-addressing-is-not-possible

I'm curious if there will eventually be native support?

I don't know, but probably won't.

[bugoverfl0w]

kubectl -n kube-system rollout restart deployment coredns

Thanks, it works for me. I don't know why :D

[repeating]

Type the following and you'll get a url
minikube service <service-name> --url
For example:

You can access your service through that url

[singlamohit1]

Although using minikube service <service-name> --url , I am able to open the service, but the service opened (mongo-express in my case) is not able to access the mongo db (other service which I created). It is asking me creds even though I mentioned it in the env.
Kindly help

[Terkea]

the issue is still present, any fix for this? I cannot use tunnels for what I need