# Kubernetes Network Port Configuration Tutorial ## Overview Understanding the different types of ports in Kubernetes networking is crucial for proper application deployment and traffic routing. This tutorial explains the differences between Dockerfile EXPOSE ports, Kubernetes containerPort, Service port, and Istio HTTP ports. ## Port Types in Kubernetes Networking ### 1. Dockerfile EXPOSE Port The `EXPOSE` instruction in a Dockerfile documents which ports the application inside the container listens on. ```dockerfile # Example Dockerfile FROM nginx:alpine EXPOSE 80 COPY . /usr/share/nginx/html ``` **Key Points:** - **Purpose**: Documentation only - tells users which ports the container expects to use - **Functionality**: Does NOT actually publish or open the port - **Best Practice**: Always include EXPOSE for clarity, even though it's not strictly required ### 2. Kubernetes containerPort Defined in Pod/Deployment specifications, this specifies which port the container listens on inside the Pod. ```yaml # Example Deployment apiVersion: apps/v1 kind: Deployment metadata: name: web-app spec: replicas: 3 selector: matchLabels: app: web-app template: metadata: labels: app: web-app spec: containers: - name: web-app image: nginx:alpine ports: - containerPort: 80 # Port the container listens on name: http protocol: TCP ``` **Key Points:** - **Purpose**: Specifies the port number the container application listens on - **Functionality**: Purely informational for Kubernetes - doesn't affect networking - **Best Practice**: Should match the port your application actually listens on ### 3. Kubernetes Service Port The Service port is what other applications use to connect to your service. ```yaml # Example Service apiVersion: v1 kind: Service metadata: name: web-app-service spec: selector: app: web-app ports: - name: http port: 8080 # Port exposed by the Service (what clients connect to) targetPort: 80 # Port on the container (where traffic is forwarded) protocol: TCP type: ClusterIP ``` **Key Points:** - **port**: The port exposed by the Service (external-facing) - **targetPort**: The port on the container where traffic is forwarded - **Purpose**: Provides stable networking endpoint for Pod access - **Types**: ClusterIP, NodePort, LoadBalancer, ExternalName ### 4. Istio HTTP Port In Istio service mesh, additional configuration is needed for HTTP traffic routing. ```yaml # Example VirtualService apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: web-app-vs spec: hosts: - web-app-service http: - match: - port: 8080 # Matches traffic on this port route: - destination: host: web-app-service port: number: 8080 # Forward to this Service port ``` ```yaml # Example Gateway apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: web-app-gateway spec: selector: istio: ingressgateway servers: - port: number: 80 # External port (HTTP) name: http protocol: HTTP hosts: - web-app.example.com ``` **Key Points:** - **Gateway Port**: External-facing port for ingress traffic - **VirtualService Port**: Matches and routes traffic within the mesh - **Purpose**: Advanced traffic management, security, and observability ## Port Configuration Summary Table | Port Type | Location | Purpose | Required | Example | |-----------|----------|---------|----------|---------| | EXPOSE | Dockerfile | Documentation | No | `EXPOSE 80` | | containerPort | Pod/Deployment | Container listening port | No* | `containerPort: 80` | | Service port | Service | External access port | Yes | `port: 8080` | | Service targetPort | Service | Container target port | Yes | `targetPort: 80` | | Istio Gateway port | Gateway | Ingress port | Yes** | `number: 80` | | Istio VirtualService port | VirtualService | Traffic matching | Yes** | `port: 8080` | *Not required but highly recommended for clarity **Required when using Istio ## Data Flow Diagram: Client Access to Application in Kubernetes ```mermaid graph TD A[External Client] -->|HTTP Request :80| B[Istio Gateway] B -->|Routes to| C[Istio Ingress Gateway Pod] C -->|Forward to| D[Kubernetes Service :8080] D -->|Load Balance to| E[Pod 1 :80] D -->|Load Balance to| F[Pod 2 :80] D -->|Load Balance to| G[Pod 3 :80] E -->|Container Process| H[Application :80] F -->|Container Process| I[Application :80] G -->|Container Process| J[Application :80] style A fill:#e1f5fe style B fill:#f3e5f5 style D fill:#e8f5e8 style E fill:#fff3e0 style F fill:#fff3e0 style G fill:#fff3e0 style H fill:#fce4ec style I fill:#fce4ec style J fill:#fce4ec ``` ## Detailed Data Flow Steps ### 1. External Client Request - Client sends HTTP request to `web-app.example.com:80` - DNS resolves to Istio Gateway's external IP ### 2. Istio Gateway Processing - Gateway receives traffic on port 80 - Matches request against configured hosts - Routes to appropriate VirtualService ### 3. VirtualService Routing - VirtualService evaluates routing rules - Forwards traffic to Kubernetes Service on port 8080 - Can apply traffic policies (retries, timeouts, etc.) ### 4. Kubernetes Service Load Balancing - Service receives traffic on port 8080 - Selects healthy Pods using label selectors - Load balances traffic to targetPort 80 on selected Pods ### 5. Pod and Container Processing - Pod receives traffic on containerPort 80 - Container application processes the request - Response follows the same path in reverse ## Common Port Configuration Patterns ### Pattern 1: Simple HTTP Application ```yaml # Dockerfile EXPOSE 8080 # Deployment containerPort: 8080 # Service port: 80 targetPort: 8080 # Istio Gateway port: 80 (HTTP) ``` ### Pattern 2: HTTPS with TLS Termination ```yaml # Istio Gateway port: 443 (HTTPS) tls: mode: SIMPLE credentialName: web-app-certs # Service (internal HTTP) port: 80 targetPort: 8080 ``` ### Pattern 3: Multiple Ports ```yaml # Service with multiple ports ports: - name: http port: 80 targetPort: 8080 - name: grpc port: 9090 targetPort: 9090 ``` ## Best Practices 1. **Consistency**: Keep port numbers consistent where possible 2. **Documentation**: Always use EXPOSE in Dockerfile 3. **Naming**: Use descriptive port names in Services 4. **Security**: Use non-root ports (>1024) in containers 5. **Monitoring**: Include ports in health checks and monitoring