kubernetes services not allowing to bind to the same nodeport for tcp and udp protocols

[joeblackwaslike]

We have the following service manifest for kamailio:

kind: Service
apiVersion: v1
metadata: 
  name: kamailio
  labels:
    app: kamailio
    role: sip-proxy
spec:
  selector:
    app: kamailio
    project: valuphone
  type: NodePort
  clusterIP: None
  ports:
    - name: sip-tcp
      protocol: TCP
      port: 5060
      nodePort: 5060
    - name: sip-udp
      protocol: UDP
      port: 5060
      nodePort: 5060
    - name: sip-tls
      protocol: TCP
      port: 5061
      nodePort: 5061
    - name: alg-tcp
      protocol: TCP
      port: 7000
      nodePort: 7000
    - name: alg-udp
      protocol: UDP
      port: 7000
      nodePort: 7000
    - name: alg-tls
      protocol: TCP
      port: 7001
      nodePort: 7001  

When I try to create it, it gives the following error:

The Service "kamailio" is invalid.
spec.ports[1].nodePort: invalid value '5060', Details: provided port is already allocated

It appears that the error checking kubernetes does of the service manifest isn't taking into account that udp and tcp ports are different ports. If i run it through and change the tcp ports to one port higher, it works.

I discussed the possible bug with the kubernetes developers and they had this to say:

justinsb [8:17 PM] 
@xwhyz: I think it’s actually a bug/design mistake (my mistake) that we don’t allow you to bind the same NodePort for both TCP & UDP

[8:18] 
It’s not a huge deal if you have ELB in front, because it will redirect the ports anyway

[8:19] 
Not sure what to recommend if you’re not using ELB though

[8:19] 
It’s definitely a fixable bug.  Though likely not in 1.2

the following manifest is working, but doesn't meet the sip standards as i understand them:

kind: Service
apiVersion: v1
metadata: 
  name: kamailio
  labels:
    app: kamailio
    role: sip-proxy
spec:
  selector:
    app: kamailio
    project: valuphone
  type: NodePort
  clusterIP: None
  ports:
    - name: sip-tcp
      protocol: TCP
      port: 5060
      nodePort: 5060
    - name: sip-udp
      protocol: UDP
      port: 5060
      #nodePort: 5060
      nodePort: 5061
    - name: sip-tls
      protocol: TCP
      port: 5061
      # nodePort: 5061
      nodePort: 5062
    - name: alg-tcp
      protocol: TCP
      port: 7000
      nodePort: 7000
    - name: alg-udp
      protocol: UDP
      port: 7000
      # nodePort: 7000
      nodePort: 7001
    - name: alg-tls
      protocol: TCP
      port: 7001
      nodePort: 7002   

Here is the output of kubectl describe svc kamailio

Name:           kamailio
Namespace:      default
Labels:         app=kamailio,role=sip-proxy
Selector:       app=kamailio,project=valuphone
Type:           NodePort
IP:             None
Port:           sip-tcp 5060/TCP
NodePort:       sip-tcp 5060/TCP
Endpoints:      172.17.16.27:5060,172.17.20.76:5060,172.17.60.89:5060
Port:           sip-udp 5060/UDP
NodePort:       sip-udp 5061/UDP
Endpoints:      172.17.16.27:5060,172.17.20.76:5060,172.17.60.89:5060
Port:           sip-tls 5061/TCP
NodePort:       sip-tls 5062/TCP
Endpoints:      172.17.16.27:5061,172.17.20.76:5061,172.17.60.89:5061
Port:           alg-tcp 7000/TCP
NodePort:       alg-tcp 7000/TCP
Endpoints:      172.17.16.27:7000,172.17.20.76:7000,172.17.60.89:7000
Port:           alg-udp 7000/UDP
NodePort:       alg-udp 7001/UDP
Endpoints:      172.17.16.27:7000,172.17.20.76:7000,172.17.60.89:7000
Port:           alg-tls 7001/TCP
NodePort:       alg-tls 7002/TCP
Endpoints:      172.17.16.27:7001,172.17.20.76:7001,172.17.60.89:7001

• it seems the best fix for this situation after some discussion with the kubernetes dev's is to add some rules to iptables to direct the traffic to come in from the correct ports, but obviously we're looking for the best solution to the problem

[joeblackwaslike]

fixed awhile ago