Accessing Services from Outside the Cluster

Time updated：2025-12-22 09:26:17

Services expose applications running on pods as network services, providing a fixed address (domain name or IP address) for client access. Accessing a service allows access to the application deployed within the cluster.

KubeSphere supports accessing services from outside the cluster via NodePort, LoadBalancer, Ingress, or port forwarding.

This section uses the Bookinfo application as an example to describe how to access services from outside the cluster. Before proceeding with the following steps, please first deploy Bookinfo or another application in your project.

Access a Service via NodePort

NodePort: The system maps a node’s port to the service port, allowing access to the service via the node’s IP address and the node port.

In the left navigation pane of the cluster or workspace, select Application Workloads > Services.
Click on the right side of the corresponding service (e.g., productpage) and select Edit External Access.
In the Access Mode, select NodePort and click OK.
In the External Access column of the service list, view the exposed node port.
In a browser, enter <Node IP>:<Node Port> to access the service from outside the cluster.

Note

Before accessing the service, you may need to configure port forwarding rules and allow the port in the security group.

Note
Before accessing the service, you may need to configure port forwarding rules and allow the port in the security group.

Access a Service via LoadBalancer

LoadBalancer: Based on a NodePort service, the system assigns an external IP address to the service and binds it to an external load balancer. The external load balancer listens on the node port corresponding to the service, enabling access to the service via the external IP address. To achieve this, a LoadBalancer type service requires support from a load balancer extension and the underlying infrastructure environment, and relevant annotations need to be set. For more information, please contact your infrastructure environment provider.

Prerequisites

Please create the external load balancer for binding to the service in advance. You can use a load balancer provided by a cloud service provider or an open-source load balancing solution, such as OpenELB.
The load balancer is in the same private network as the KubeSphere cluster, and the load balancer is bound to a public IP address.

Note
For specific operations, please refer to the user guide of your cloud environment or contact your cloud service provider.

Note

For specific operations, please refer to the user guide of your cloud environment or contact your cloud service provider.

Steps

In the left navigation pane of the cluster or workspace, select Application Workloads > Services.
Click on the right side of the corresponding service (e.g., productpage) and select Edit External Access.
In the Access Mode, select LoadBalancer, select the Load Balancer Provider and add the corresponding Annotations, then click OK.

Note

If a load balancer provider has been selected, the system will display annotation hints in the dropdown list when you click the Key text box.
In the External Access column of the service list, view the external IP address exposed through the load balancer.
Click the service name to enter its details page. On the Resource Status tab, in the Ports area, view the service port.
In a browser, enter <External IP Address>:<Service Port> to access the service from outside the cluster.

Note
If a load balancer provider has been selected, the system will display annotation hints in the dropdown list when you click the Key text box.

Access a Service via Ingress

Ingress: Ingress aggregates services and provides access from outside the cluster. Each Ingress contains mapping rules from a domain name and its subpaths to different services. Client traffic is first sent to the cluster gateway or project gateway. The cluster gateway or project gateway then forwards the traffic to different services based on the rules defined in the Ingress, thereby implementing reverse proxy for multiple services.

Prerequisites

Create an Ingress. The example application bookinfo has automatically created an Ingress.
Enable a cluster gateway or Enable a project gateway.

Steps

After the Ingress is created, you can access its backend services using any HTTP or HTTPS client.

In the left navigation pane of the cluster or workspace, select Application Workloads > Ingresses.
In the Ingress list, click the name of an Ingress to open its details page.
On the Resource Status tab, click Access Service on the right side of the routing rule you want to access.
- If the external access mode of the cluster gateway or project gateway is NodePort, the client needs to resolve the domain name to the IP address of any node in the cluster via a DNS service or the local hosts file, and access the Ingress via the domain name, path, and NodePort port number (e.g., example.com/test:30240).
- If the external access mode of the cluster gateway or project gateway is LoadBalancer, the client needs to resolve the domain name to the IP address of the project gateway’s load balancer via a DNS service or the local hosts file, and access the Ingress via the domain name and path (e.g., example.com/test).
If the Ingress is set up correctly, the browser will display the response information from the backend service.

Access a Service via Port Forwarding

Port forwarding is a method to establish a connection between a local computer and a service inside the cluster, typically used for local development and debugging purposes. When you perform port forwarding in a cluster, it usually maps a port of a service inside the cluster to a port on your local computer, allowing you to access these services on your local machine.

Prerequisites

There is at least one service in a project within the cluster. The example application bookinfo has automatically created multiple services.
The local computer needs to have the kubectl tool installed and be able to communicate normally with the KubeSphere cluster.

Steps

On a cluster node, execute the following command to check the created services.

kubectl get service <service-name> -n <project-name>

Example:

[root@node1 ~]# kubectl get service productpage -n demo-project
NAME          TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
productpage   ClusterIP   10.233.22.245   <none>        9080/TCP   6d23h

On the local computer, use kubectl port-forward for port forwarding.
kubectl port-forward service/<service-name> <local-port>:<service-port> -n <project-name>
Example:
[xxx@xxx ~]# kubectl port-forward service/productpage 34841:9080 -n demo-project Forwarding from 127.0.0.1:34841 -> 9080 Forwarding from [::1]:34841 -> 9080
You can also let kubectl choose and assign a local port by not specifying it, so you don’t need to manage local port conflicts. The command is as follows:
kubectl port-forward service/<service-name> :<service-port> -n <project-name>
Note

You can also use other resource names, such as Deployment name, Pod name, etc., for port forwarding. For more information, please refer to Kubernetes official documentation.
In a browser on the local computer, enter 127.0.0.1:<local-port> or localhost:<local-port> to access the service in the cluster.