Exposing Applications

Expose your applications using Kubernetes Services
Kubernetes Workloads can be exposed to each other, but they can also be publicly exposed to the Internet using Kubernetes Services and Ingresses.
A Service allocates a dedicated IP address for the exposed application, whereas an Ingress works for HTTP-based protocols to alleviate the need for a separate IP at each endpoint.
For stateless Web services, the Serverless framework may be a good option. In this framework, the application is automatically deployed with a TLS-enabled hostname and autoscaling enabled.

Internal Services

Internal, cluster-local Services should be configured as regular ClusterIP services.

Public Services

Making Services public to the Internet is done by deploying a LoadBalancer Service type with an annotation that allocates a public IP for the Service.
Without a public IP annotation, a private static IP will be allocated. This is mostly useful for Services accessed from outside the cluster via a Site-to-Site VPN.
Depending on where your workloads are configured to run, public IP pools are accessible via the region location using the following corresponding tags:
Address Pool Label

Example manifest

See sshd-public-service.yaml for an example SSHD LoadBalancer Service deployed with the region annotation public-ord1
To ensure optimal traffic routing, ensure that your Workload is only scheduled to run in the same region from which a public IP is being requested. Use the region label affinity to limit scheduling of the Workload to a single region.

Attaching Service IPs directly to Pods

The traditional Kubernetes pattern dictates that one or many Pods with dynamic internal IP addresses be exposed behind a Service or Ingress which itself has a static IP address.
For certain use cases, such as where only one Pod is behind a Service, it might make sense to attach the Service IP directly to the Pod. A Pod would then have a static public IP as its Pod IP.
All connections originating from the Pod will show this IP as its source address, and this address will serve as its local IP.
This is a non-standard approach for containers, and should be used only when the traditional Service/Pod pattern is not feasible.
Directly attaching the Service IP is beneficial in the following scenarios:
  • The application needs to expose a large number of ports (more than 10), so listing them out in the Service definition is impractical
  • The application needs to see the Service IP on the network interface inside the Pod
  • Connections originating from the Pod to the outside world need to originate from the Service IP
  • The application needs to receive all traffic, regardless of type and port
  • The Workload is a Virtual Machine type, where a static IP provides a more native experience
An application that directly attaches to a Service IP can run with a maximum of 1 replicas, as there would otherwise be multiple Pods with the same Pod IP. Also, traffic to the Pod will not be filtered; all traffic inbound to the IP will be sent to the Pod. Network Policies can be used for additional security.

Example manifest

A stub Service needs to be created to allocate the IP. The Service should expose only port 1, as shown in the ip-direct-attached-to-pod.yaml example.
Then, to attach the IP from the Service directly to a Pod, annotate the Pod spec:
annotations: my-app

Using Ingresses

Using an Ingress for HTTP-based applications is beneficial, as it saves IP address space and automatically provides a DNS name as well as TLS certificate to allow access to your application via https.
CoreWeave provides the infrastructure setup, including the Ingress Controller; all you need to do is deploy an Ingress manifest in the format of <app>.<namespace>.<region>

Example manifest

The ingress-example.yaml example below demonstrates an Ingress called my-app, exposed via an Ingress in the ORD1 data center region for a namespace called tenant-test-default. If a custom domain name is desired, a custom Ingress Controller may be deployed from the CoreWeave application Catalog.

Using External DNS

Kubernetes internal DNS provides Service discovery inside the cluster, allowing connections between Services and Pods without the use of IP addresses. Many applications will need to be reached both from inside the cluster as well as from the Internet.
CoreWeave provides External DNS out of the box for all types of applications - the given DNS name simply must be in the format of <your-choice>.<namespace>

Example manifest

See external-dns.yaml for an example manifest that creates External DNS.