What does it mean for a Service to be of type NodePort, and have both port and targetPort specified?

nodePort is the port that a client outside of the cluster will "see". nodePort is opened on every node in your cluster via kube-proxy. With iptables magic Kubernetes (k8s) then routes traffic from that port to a matching service pod (even if that pod is running on a completely different node).

port is the port your service listens on inside the cluster. Let's take this example:

---
apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  ports:
  - port: 8080
    targetPort: 8070
    nodePort: 31222
    protocol: TCP 
  selector:
    component: my-service-app

From inside my k8s cluster this service will be reachable via my-service.default.svc.cluster.local:8080 (service to service communication inside your cluster) and any request reaching there is forwarded to a running pod on targetPort 8070.

tagetPort is also by default the same value as port if not specified otherwise.


To explain better the concept, I visualize Service's NodePort concept.

NodePort Service

As @fishi mentioned in his answer NodePort allows exposing k8s host port(aka nodePort) to the external clients. A client can directly access nodePort and k8s forwards a traffic to the necessary port.

K8s reserves a nodePort on all its nodes. All nodes that running the Service's pods have this port open.

Pods can be accessed not only through internal cluster IP but also through node's IP and reserved port aka HOST_IP:NODE_PORT pair.