In the CKAD course, specifically in the “Services & Networking” module, Mumshad explains how to access a web application hosted in a pod. My question is about the networking setup: if the node and my laptop are on the same network, how can I curl the pod’s IP by SSHing into the node? It seems like that wouldn’t be possible since the pod is on a different network. If I can curl from the node, then I should be able to access it directly from my laptop as well, since both are in the same network. Can you clarify this?
The typical solution people use for that are ingress resources, which make it easier to access services from outside the cluster. You can also use tricks like kubectl port-forward to forward ports on the pod network outside of the cluster on the same host as where you’re running kubectl. It depends how much you want to get at, and how motivated your are to get at it 
Absolutely, you can use NodePort, port forwarding, LoadBalancer, Ingress, and other methods to access services externally. However, my main concern with Mumshad’s statement about accessibility within the cluster is whether he meant it’s inherently accessible without additional context, like using port forwarding or NodePort. I wasn’t sure if I was missing some concepts there.
Generally speaking, the pod network is not accessible externally. So you need one of those techniques to make external access possible. This is how you want it – in general, you don’t want outside access to the cluster, unless it’s explicitly secured somehow.
I understood your point @rob_kodekloud
but I am still looking for an answer to my question that how Mumshad assumed that it is accessible from node. I must be missing something or some concept since it was not mentioned.
just want to add following image to make clear my statement.
Given that your set-up is a bit unusual – you’re using your Linux laptop and doing a kubeadm install directly on top of it – you can indeed “see” the pod network directly. This is less a feature than a bug since normally, you want your pod network to have some isolation from the outside world. So you can learn from your setup, but I would not call it an example of a secured K8s cluster 
Since your laptop is also a node, the CNI network has a bridge interface. On your laptop, directly. So you do have direct access to pods on the laptop. Is this a feature or a bug? I’d say both. A feature, because since your laptop is a node of the cluster, it indeed is bridged to the pod network. A bug, because this is not something people do in real deployments. To put it mildly.
This is also a hypothetical I don’t think Mumshad was thinking of when he recorded the lecture.
1 Like