Skip to main content

Kubernetes Ingress Services

Use this page when planning the public-cloud ingress resources needed for a ServiceRadar Kubernetes deployment. The list separates required control-plane ingress from optional telemetry collectors.

Do not expose internal service ports directly. Public traffic should terminate at a Gateway, ingress controller, or explicitly scoped collector LoadBalancer/NodePort equivalent, with firewall and source-CIDR controls wherever the sender set is known.

Baseline Ingress

PurposePublic PortProtocolKubernetes BackendCloud Resource ShapeNotes
Web UI, API, LiveView, and browser streams443, optional 80 redirectHTTPSserviceradar-web-ng:4000Shared or dedicated Gateway listener, DNS record, TLS certificateRoute /, /api, /api/query, websocket paths, and stream paths to web-ng.
Edge agent gateway50052mTLS gRPCserviceradar-agent-gatewayDeployment-reachable L4 service or Gateway listenerEdge agents connect outbound to this endpoint for config, control, and telemetry.
Agent artifact/download path50053TCPserviceradar-agent-gatewaySame L4 service as agent gateway when possibleUsed by the gateway artifact path. Keep it paired with the agent gateway identity and firewall policy.
OTLP HTTP ingest443HTTPSserviceradar-otlp:4318Shared or dedicated Gateway route, DNS record, TLS certificateRecommended external path for OTLP/HTTP because the Gateway can present a public certificate and forward plaintext in-cluster.
OTLP gRPC ingest50052TLS passthroughserviceradar-otlp:4317Shared or dedicated TLS Gateway listener with SNI routingWith passthrough, senders see the ServiceRadar collector certificate and must trust the ServiceRadar root CA or explicitly skip verification.

The web and OTLP HTTP routes are good candidates for a shared public Gateway with per-deployment hostnames. OTLP gRPC can also share a Gateway listener if the cloud/Gateway implementation supports TLS passthrough and SNI routing. The agent gateway is typically provisioned as its own deployment-reachable L4 endpoint unless the platform has a deliberate multiplexing design for agent traffic.

Optional Telemetry Collectors

Provision these only for deployments that ingest telemetry directly from routers, switches, firewalls, SIEM forwarders, or similar external systems.

PurposePublic PortProtocolKubernetes BackendCloud Resource ShapeIsolation Note
Syslog UDP514UDPserviceradar-log-collector:514UDP Gateway listener or dedicated UDP load balancerUDP has no hostname/SNI. Use a deployment-specific IP or a deployment-specific port when multiple deployments share infrastructure.
Syslog TCP514TCPserviceradar-log-collector-tcp:514TCP load balancer or Gateway TCP listenerOptional. Enable only when the deployment needs TCP syslog.
NetFlow2055UDPserviceradar-flow-collector:2055Dedicated UDP load balancer or routed private serviceNetFlow v9 templates are exporter and collector scoped. Keep exporter affinity stable.
sFlow6343UDPserviceradar-flow-collector:6343Dedicated UDP load balancer or routed private serviceOften shares the same collector address as NetFlow.
IPFIX alternate port4739UDPserviceradar-flow-collector:4739Dedicated UDP load balancer or routed private serviceOptional. Enable only when exporters require the conventional IPFIX port.
SNMP traps162UDPserviceradar-trapd:162Dedicated UDP load balancer or routed private serviceSNMP polling is outbound from agents; only traps need inbound UDP 162.
BGP BMP11019TCPserviceradar-bmp-collector:11019Dedicated TCP load balancer or routed private serviceBMP sessions usually come from routers and should be tightly source-restricted.

For UDP collectors, prefer a deployment-specific IP address when customers expect standard ports such as 514, 162, 2055, or 6343. A shared IP with unique ports can work operationally, but it requires customer device configuration that may be harder to standardize.

Internal Only

These services should remain internal to the ServiceRadar namespace, the cluster, or the platform control plane:

ServicePortReason
serviceradar-web-ng4000Serve only behind Gateway/ingress.
serviceradar-core / core-elx8090, 50052, 9090Internal API, gRPC, and metrics paths.
serviceradar-datasvc50057Internal data service.
CNPG/PostgreSQL5432Database access; use private administration paths only.
NATS client, monitoring, and cluster ports4222, 8222, 6222Internal JetStream messaging. External NATS leaf-node access is platform infrastructure, not a default customer ingress.
ERTS distribution and epmd4369, 9100-9155Internal Erlang clustering only.
Collector management or metrics portsvariesExpose through private monitoring only.

Local development load balancers, direct database access services, and NATS debug access are not part of the baseline Kubernetes ingress model.

Cloud Provisioning Checklist

For each deployment, decide which ingress entries are enabled and provision:

  • DNS records for hostname-routed services.
  • TLS certificates for public HTTPS termination.
  • L4 load balancers or Gateway listeners for gRPC, TCP, and UDP services.
  • Firewall, security group, or load-balancer source CIDR restrictions for collector traffic.
  • Kubernetes HTTPRoute, TLSRoute, UDPRoute, or Service objects matching the chosen exposure model.
  • NetworkPolicy rules that admit only the Gateway data plane or approved source CIDRs to the backend pods.

For Kubernetes-specific values and examples, see Kubernetes External Ingestion. For a compact operator port reference, see Service Port Map.