Expose your applications using Kubernetes Services
Kubernetes Workloads can be exposed to each other, but they can also be publicly exposed to the Internet using Kubernetes Services and Ingresses.
A Service allocates a dedicated IP address for the exposed application, whereas an Ingress works for HTTP-based protocols to alleviate the need for a separate IP at each endpoint.
For stateless Web services, the Serverless framework may be a good option. In this framework, the application is automatically deployed with a TLS-enabled hostname and autoscaling enabled.
Making Services public to the Internet is done by deploying a
LoadBalancerService type with an annotation that allocates a public IP for the Service.
Without a public IP annotation, a private static IP will be allocated. This is mostly useful for Services accessed from outside the cluster via a Site-to-Site VPN.
Depending on where your workloads are configured to run, public IP pools are accessible via the region location using the following corresponding tags:
Address Pool Label
In this example, an SSHD LoadBalancer Service is deployed with the region annotation
- name: sshd
To ensure optimal traffic routing, ensure that your Workload is only scheduled to run in the same region from which a public IP is being requested. Use the region label affinity to limit scheduling of the Workload to a single region.
The traditional Kubernetes pattern dictates that one or many Pods with dynamic internal IP addresses be exposed behind a Service or Ingress which itself has a static IP address.
For certain use cases, such as where only one Pod is behind a Service, it might make sense to attach the Service IP directly to the Pod. A Pod would then have a static public IP as its Pod IP.
All connections originating from the Pod will show this IP as its source address, and this address will serve as its local IP.
This is a non-standard approach for containers, and should be used only when the traditional Service/Pod pattern is not feasible.
Directly attaching the Service IP is beneficial in the following scenarios:
- The application needs to expose a large number of ports (more than 10), so listing them out in the Service definition is impractical
- The application needs to see the Service IP on the network interface inside the Pod
- Connections originating from the Pod to the outside world need to originate from the Service IP
- The application needs to receive all traffic, regardless of type and port
- The Workload is a Virtual Machine type, where a static IP provides a more native experience
An application that directly attaches to a Service IP can run with a maximum of
1replicas, as there would otherwise be multiple Pods with the same Pod IP. Also, traffic to the Pod will not be filtered; all traffic inbound to the IP will be sent to the Pod. Network Policies can be used for additional security.
A stub Service needs to be created to allocate the IP. The Service should expose only port
1, as shown in the example below:
- port: 1 # Do not change this
# Do not add any additional ports, it is not required for direct attach
coreweave.cloud/ignore: ignore # Do not change this
Then, to attach the IP from the Service directly to a Pod, annotate the Pod spec:
Using an Ingress for HTTP-based applications is beneficial, as it saves IP address space and automatically provides a DNS name as well as TLS certificate to allow access to your application via
CoreWeave provides the infrastructure setup, including the Ingress Controller; all you need to do is deploy an
Ingressmanifest in the format of
The example below demonstrates an Ingress called
my-app, exposed via an Ingress in the ORD1 data center region for a namespace called
tenant-test-default. If a custom domain name is desired, a custom Ingress Controller may be deployed from the CoreWeave application Catalog.
traefik.ingress.kubernetes.io/router.middlewares: tenant-test-default-redirect-[email protected]
- host: my-app.tenant-test-default.ord1.ingress.coreweave.cloud
secretName: my-app-tls # This secret is automatically created for you
Kubernetes internal DNS provides Service discovery inside the cluster, allowing connections between Services and Pods without the use of IP addresses. Many applications will need to be reached both from inside the cluster as well as from the Internet.
CoreWeave provides External DNS out of the box for all types of applications - the given DNS name simply must be in the format of
- name: sshd