Services and Networking

Introduction

One of my early frustrations with Kubernetes was understanding how applications actually communicate with each other. I had pods running, but how do they find each other when they're constantly being created and destroyed with different IP addresses? How do external users access my services? Why do I need LoadBalancers, Ingress controllers, and Network Policies?

The networking model in Kubernetes initially seemed complex, but once I understood the core concepts—Services provide stable endpoints, Ingress manages external access, and Network Policies enforce security—everything clicked into place. Through deploying microservices architectures and troubleshooting connectivity issues in production, I learned that Kubernetes networking is actually elegant in its design, even if it takes some time to master.

In this article, I'll share what I've learned about Kubernetes networking, from basic Service types to advanced Ingress configurations and Network Policies, with practical examples from real deployments.

Kubernetes Networking Model

Kubernetes networking is built on several key principles that make it work seamlessly.

Networking Principles

Core Requirements:

Pod-to-Pod Communication: All pods can communicate with each other without NAT
Node-to-Pod Communication: Nodes can communicate with all pods without NAT
Pod IP Address: Each pod gets its own unique IP address
No Port Conflicts: Containers share the pod's network namespace

CNI Plugins

Container Network Interface (CNI) plugins implement the Kubernetes network model:

Calico: L3 networking with BGP, Network Policy support
Flannel: Simple overlay network, easy to set up
Cilium: eBPF-based, advanced observability
Weave: Mesh network, encrypts traffic
Canal: Flannel + Calico Network Policies

# Check which CNI plugin is running
kubectl get pods -n kube-system | grep -E 'calico|flannel|cilium|weave'

# View CNI configuration
cat /etc/cni/net.d/*.conf

Service Types and Use Cases

Services provide stable networking for ephemeral pods.

Service Type Decision Tree

ClusterIP Services

ClusterIP is the default Service type, exposing the service on an internal IP address within the cluster.

Basic ClusterIP Service

apiVersion: v1
kind: Service
metadata:
  name: web-app
  namespace: production
  labels:
    app: web-app
spec:
  type: ClusterIP  # Default, can be omitted
  selector:
    app: web-app
    tier: frontend
  ports:
  - name: http
    protocol: TCP
    port: 80        # Service port
    targetPort: 8080  # Container port
  - name: https
    protocol: TCP
    port: 443
    targetPort: 8443
  sessionAffinity: None  # or ClientIP for sticky sessions

# Create service
kubectl apply -f service.yaml

# Get service
kubectl get service web-app

# Describe service
kubectl describe service web-app

# Get endpoints
kubectl get endpoints web-app

# Test service from within cluster
kubectl run -it --rm debug --image=curlimages/curl --restart=Never -- \
  curl http://web-app.production.svc.cluster.local

Session Affinity

apiVersion: v1
kind: Service
metadata:
  name: web-app
spec:
  type: ClusterIP
  selector:
    app: web-app
  sessionAffinity: ClientIP
  sessionAffinityConfig:
    clientIP:
      timeoutSeconds: 10800  # 3 hours
  ports:
  - port: 80
    targetPort: 8080

Multi-Port Services

apiVersion: v1
kind: Service
metadata:
  name: multi-port-service
spec:
  selector:
    app: my-app
  ports:
  - name: http
    port: 80
    targetPort: 8080
    protocol: TCP
  - name: https
    port: 443
    targetPort: 8443
    protocol: TCP
  - name: metrics
    port: 9090
    targetPort: 9090
    protocol: TCP
  - name: grpc
    port: 50051
    targetPort: 50051
    protocol: TCP

Named Ports

# Deployment with named ports
apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-app
spec:
  selector:
    matchLabels:
      app: web-app
  template:
    metadata:
      labels:
        app: web-app
    spec:
      containers:
      - name: web
        image: myapp:1.0
        ports:
        - name: http
          containerPort: 8080
        - name: metrics
          containerPort: 9090

---
# Service using named ports
apiVersion: v1
kind: Service
metadata:
  name: web-app
spec:
  selector:
    app: web-app
  ports:
  - name: http
    port: 80
    targetPort: http  # References named port
  - name: metrics
    port: 9090
    targetPort: metrics  # References named port

NodePort Services

NodePort exposes the service on each node's IP at a static port.

NodePort Service Example

apiVersion: v1
kind: Service
metadata:
  name: web-app-nodeport
spec:
  type: NodePort
  selector:
    app: web-app
  ports:
  - port: 80          # Service port
    targetPort: 8080  # Container port
    nodePort: 30080   # Port on each node (30000-32767)
    protocol: TCP

# Create NodePort service
kubectl apply -f nodeport-service.yaml

# Get service
kubectl get service web-app-nodeport

# Access service
# If using Minikube:
minikube service web-app-nodeport

# Or get node IP and access directly:
NODE_IP=$(kubectl get nodes -o jsonpath='{.items[0].status.addresses[?(@.type=="InternalIP")].address}')
curl http://$NODE_IP:30080

NodePort with Custom Range

# API server configuration to allow custom NodePort range
# /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
  name: kube-apiserver
spec:
  containers:
  - command:
    - kube-apiserver
    - --service-node-port-range=30000-40000  # Custom range

NodePort Best Practices

apiVersion: v1
kind: Service
metadata:
  name: web-app-nodeport
  annotations:
    # Document the NodePort usage
    description: "External access for web application"
spec:
  type: NodePort
  selector:
    app: web-app
  # Specify nodePort for consistency across environments
  ports:
  - name: http
    port: 80
    targetPort: 8080
    nodePort: 30080
  # Use session affinity if needed
  sessionAffinity: ClientIP
  sessionAffinityConfig:
    clientIP:
      timeoutSeconds: 10800

LoadBalancer Services

LoadBalancer creates an external load balancer (in supported cloud environments).

LoadBalancer Service Example

apiVersion: v1
kind: Service
metadata:
  name: web-app-lb
  annotations:
    # AWS annotations
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
    
    # GCP annotations
    cloud.google.com/load-balancer-type: "Internal"
    
    # Azure annotations
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
spec:
  type: LoadBalancer
  selector:
    app: web-app
  ports:
  - name: http
    port: 80
    targetPort: 8080
    protocol: TCP
  - name: https
    port: 443
    targetPort: 8443
    protocol: TCP
  
  # Restrict load balancer source IPs
  loadBalancerSourceRanges:
  - 10.0.0.0/8
  - 172.16.0.0/12
  
  # Preserve client source IP
  externalTrafficPolicy: Local  # or Cluster (default)
  
  # Health check node port (with Local traffic policy)
  healthCheckNodePort: 32000

# Create LoadBalancer service
kubectl apply -f loadbalancer-service.yaml

# Get service (wait for EXTERNAL-IP)
kubectl get service web-app-lb --watch

# Get external IP
EXTERNAL_IP=$(kubectl get service web-app-lb -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
curl http://$EXTERNAL_IP

AWS Load Balancer Controller

apiVersion: v1
kind: Service
metadata:
  name: web-app-nlb
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: "external"
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
    service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
    service.beta.kubernetes.io/aws-load-balancer-attributes: load_balancing.cross_zone.enabled=true
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: HTTP
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /health
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: "30"
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeout: "5"
    service.beta.kubernetes.io/aws-load-balancer-healthy-threshold: "2"
    service.beta.kubernetes.io/aws-load-balancer-unhealthy-threshold: "2"
spec:
  type: LoadBalancer
  selector:
    app: web-app
  ports:
  - port: 80
    targetPort: 8080

MetalLB for Bare Metal

# MetalLB configuration for on-premise clusters
apiVersion: v1
kind: ConfigMap
metadata:
  name: config
  namespace: metallb-system
data:
  config: |
    address-pools:
    - name: default
      protocol: layer2
      addresses:
      - 192.168.1.240-192.168.1.250

---
apiVersion: v1
kind: Service
metadata:
  name: web-app-lb
  annotations:
    metallb.universe.tf/address-pool: default
spec:
  type: LoadBalancer
  selector:
    app: web-app
  ports:
  - port: 80
    targetPort: 8080

ExternalName Services

ExternalName services map a service to a DNS name.

ExternalName Example

apiVersion: v1
kind: Service
metadata:
  name: external-database
  namespace: production
spec:
  type: ExternalName
  externalName: database.example.com
  ports:
  - port: 5432

# Applications can now connect to:
# external-database.production.svc.cluster.local:5432
# Which resolves to database.example.com

External Service with Endpoints

For external services that need more control than ExternalName:

# Service without selector
apiVersion: v1
kind: Service
metadata:
  name: external-api
spec:
  ports:
  - port: 443
    targetPort: 443
    protocol: TCP

---
# Manual endpoints
apiVersion: v1
kind: Endpoints
metadata:
  name: external-api
subsets:
- addresses:
  - ip: 203.0.113.10
  - ip: 203.0.113.11
  ports:
  - port: 443
    protocol: TCP

Headless Services

Headless services don't have a ClusterIP and return pod IPs directly.

Headless Service Example

apiVersion: v1
kind: Service
metadata:
  name: postgres
spec:
  clusterIP: None  # Makes it headless
  selector:
    app: postgres
  ports:
  - port: 5432
    targetPort: 5432

---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: postgres
spec:
  serviceName: postgres  # Must match headless service name
  replicas: 3
  selector:
    matchLabels:
      app: postgres
  template:
    metadata:
      labels:
        app: postgres
    spec:
      containers:
      - name: postgres
        image: postgres:14
        ports:
        - containerPort: 5432

# DNS returns individual pod IPs
# postgres-0.postgres.default.svc.cluster.local
# postgres-1.postgres.default.svc.cluster.local
# postgres-2.postgres.default.svc.cluster.local

# Test DNS resolution
kubectl run -it --rm debug --image=busybox --restart=Never -- \
  nslookup postgres.default.svc.cluster.local

Ingress Controllers

Ingress provides HTTP/HTTPS routing to services based on rules.

Ingress Architecture

Installing NGINX Ingress Controller

# Install NGINX Ingress Controller
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/cloud/deploy.yaml

# For bare metal
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/baremetal/deploy.yaml

# Verify installation
kubectl get pods -n ingress-nginx
kubectl get svc -n ingress-nginx

# Wait for external IP
kubectl get svc ingress-nginx-controller -n ingress-nginx --watch

Alternative Ingress Controllers

Traefik:

helm repo add traefik https://traefik.github.io/charts
helm install traefik traefik/traefik -n traefik --create-namespace

HAProxy:

helm repo add haproxytech https://haproxytech.github.io/helm-charts
helm install haproxy haproxytech/kubernetes-ingress

Contour:

kubectl apply -f https://projectcontour.io/quickstart/contour.yaml

Ingress Resources

Ingress resources define routing rules.

Basic Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: simple-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  ingressClassName: nginx
  rules:
  - host: myapp.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: web-app
            port:
              number: 80

Advanced Ingress with Multiple Hosts

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: multi-host-ingress
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "30"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "30"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
  ingressClassName: nginx
  
  tls:
  - hosts:
    - myapp.example.com
    - api.example.com
    secretName: example-com-tls
  
  rules:
  # Frontend application
  - host: myapp.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: frontend
            port:
              number: 80
  
  # API service
  - host: api.example.com
    http:
      paths:
      - path: /v1
        pathType: Prefix
        backend:
          service:
            name: api-v1
            port:
              number: 8080
      - path: /v2
        pathType: Prefix
        backend:
          service:
            name: api-v2
            port:
              number: 8080

Path-Based Routing

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: path-based-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
  ingressClassName: nginx
  rules:
  - host: example.com
    http:
      paths:
      # /app1/* -> app1-service
      - path: /app1(/|$)(.*)
        pathType: Prefix
        backend:
          service:
            name: app1-service
            port:
              number: 80
      
      # /app2/* -> app2-service
      - path: /app2(/|$)(.*)
        pathType: Prefix
        backend:
          service:
            name: app2-service
            port:
              number: 80
      
      # /api/* -> api-service
      - path: /api(/|$)(.*)
        pathType: Prefix
        backend:
          service:
            name: api-service
            port:
              number: 8080

TLS/SSL Configuration

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tls-ingress
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/ssl-protocols: "TLSv1.2 TLSv1.3"
    nginx.ingress.kubernetes.io/ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384"
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - secure.example.com
    secretName: secure-example-tls
  rules:
  - host: secure.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: secure-app
            port:
              number: 80

Rate Limiting and Auth

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: protected-ingress
  annotations:
    # Rate limiting
    nginx.ingress.kubernetes.io/limit-rps: "10"
    nginx.ingress.kubernetes.io/limit-rpm: "100"
    
    # Basic auth
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
    
    # Whitelist IPs
    nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/8,172.16.0.0/12"
    
    # CORS
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-origin: "https://example.com"
    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE"
    nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,X-CustomHeader,Keep-Alive,User-Agent"
spec:
  ingressClassName: nginx
  rules:
  - host: protected.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: protected-app
            port:
              number: 80

DNS and Service Discovery

Kubernetes provides automatic DNS for services and pods.

DNS Records

# Service DNS format:
# <service-name>.<namespace>.svc.<cluster-domain>

# Examples:
web-app.production.svc.cluster.local
postgres.database.svc.cluster.local
api.default.svc.cluster.local

# Short forms (from same namespace):
web-app
web-app.production
web-app.production.svc

# Pod DNS format:
# <pod-ip-with-dashes>.<namespace>.pod.<cluster-domain>
10-244-1-5.production.pod.cluster.local

# StatefulSet pod DNS:
# <pod-name>.<service-name>.<namespace>.svc.<cluster-domain>
postgres-0.postgres.database.svc.cluster.local

CoreDNS Configuration

apiVersion: v1
kind: ConfigMap
metadata:
  name: coredns
  namespace: kube-system
data:
  Corefile: |
    .:53 {
        errors
        health {
           lameduck 5s
        }
        ready
        kubernetes cluster.local in-addr.arpa ip6.arpa {
           pods insecure
           fallthrough in-addr.arpa ip6.arpa
           ttl 30
        }
        prometheus :9153
        forward . /etc/resolv.conf {
           max_concurrent 1000
        }
        cache 30
        loop
        reload
        loadbalance
    }
    
    # Custom domain
    example.com:53 {
        errors
        cache 30
        forward . 8.8.8.8 8.8.4.4
    }

Testing DNS Resolution

apiVersion: v1
kind: Pod
metadata:
  name: dns-test
spec:
  containers:
  - name: dns-test
    image: tutum/dnsutils
    command:
    - sleep
    - "infinity"

# Run DNS tests
kubectl exec -it dns-test -- nslookup web-app.production.svc.cluster.local
kubectl exec -it dns-test -- dig web-app.production.svc.cluster.local
kubectl exec -it dns-test -- host web-app.production.svc.cluster.local

# Test service discovery
kubectl exec -it dns-test -- curl http://web-app.production.svc.cluster.local

Custom DNS Configuration

apiVersion: v1
kind: Pod
metadata:
  name: custom-dns
spec:
  # Custom DNS settings
  dnsPolicy: "None"
  dnsConfig:
    nameservers:
    - 8.8.8.8
    - 8.8.4.4
    searches:
    - production.svc.cluster.local
    - svc.cluster.local
    - cluster.local
    options:
    - name: ndots
      value: "2"
    - name: timeout
      value: "2"
  containers:
  - name: app
    image: myapp:1.0

Network Policies

Network Policies control traffic between pods and services.

Default Deny All Traffic

# Deny all ingress traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: production
spec:
  podSelector: {}  # Applies to all pods
  policyTypes:
  - Ingress

---
# Deny all egress traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Egress

Allow Specific Traffic

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: web-app-network-policy
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: web-app
      tier: frontend
  
  policyTypes:
  - Ingress
  - Egress
  
  ingress:
  # Allow from ingress controller
  - from:
    - namespaceSelector:
        matchLabels:
          name: ingress-nginx
    ports:
    - protocol: TCP
      port: 8080
  
  # Allow from same namespace
  - from:
    - podSelector:
        matchLabels:
          tier: frontend
  
  egress:
  # Allow to backend services
  - to:
    - podSelector:
        matchLabels:
          tier: backend
    ports:
    - protocol: TCP
      port: 8080
  
  # Allow to database
  - to:
    - namespaceSelector:
        matchLabels:
          name: database
      podSelector:
        matchLabels:
          app: postgres
    ports:
    - protocol: TCP
      port: 5432
  
  # Allow DNS
  - to:
    - namespaceSelector:
        matchLabels:
          name: kube-system
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: UDP
      port: 53
  
  # Allow HTTPS to external services
  - to:
    - namespaceSelector: {}
    ports:
    - protocol: TCP
      port: 443

Database Network Policy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: postgres-network-policy
  namespace: database
spec:
  podSelector:
    matchLabels:
      app: postgres
  
  policyTypes:
  - Ingress
  
  ingress:
  # Only allow from backend services
  - from:
    - namespaceSelector:
        matchLabels:
          name: production
      podSelector:
        matchLabels:
          tier: backend
    ports:
    - protocol: TCP
      port: 5432

IP Block Rules

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: ip-block-policy
spec:
  podSelector:
    matchLabels:
      app: web-app
  
  ingress:
  # Allow from specific IP ranges
  - from:
    - ipBlock:
        cidr: 10.0.0.0/8
        except:
        - 10.1.0.0/16  # Exclude this subnet
    ports:
    - protocol: TCP
      port: 8080

Troubleshooting Network Issues

Debugging Network Connectivity

# Deploy debug pod
kubectl run debug --image=nicolaka/netshoot -it --rm --restart=Never -- bash

# Inside debug pod:
# Test DNS
nslookup web-app.production.svc.cluster.local
dig web-app.production.svc.cluster.local

# Test connectivity
ping <pod-ip>
curl http://web-app.production.svc.cluster.local
telnet web-app.production.svc.cluster.local 80

# Trace route
traceroute <service-ip>

# Network tools
netstat -an
ss -tulpn
ip addr
ip route

Check Service Endpoints

# Verify service has endpoints
kubectl get endpoints web-app

# If no endpoints, check:
# 1. Pod labels match service selector
kubectl get pods --show-labels
kubectl get service web-app -o yaml | grep selector

# 2. Pods are running and ready
kubectl get pods -l app=web-app

# 3. Container port matches targetPort
kubectl get pods -l app=web-app -o yaml | grep containerPort

Verify Network Policies

# Get network policies
kubectl get networkpolicies

# Describe policy
kubectl describe networkpolicy web-app-network-policy

# Test if policy is blocking traffic
# Temporarily delete policy and test
kubectl delete networkpolicy web-app-network-policy
# Run connectivity test
# Recreate policy
kubectl apply -f network-policy.yaml

CNI Plugin Issues

# Check CNI pods
kubectl get pods -n kube-system | grep -E 'calico|flannel|cilium'

# Check CNI logs
kubectl logs -n kube-system <cni-pod-name>

# Verify pod network CIDR
kubectl cluster-info dump | grep -i cidr

# Check node networking
kubectl get nodes -o jsonpath='{.items[*].spec.podCIDR}'

Service Communication Test Script

#!/bin/bash
# test-service-connectivity.sh

SERVICE_NAME=$1
NAMESPACE=${2:-default}

echo "Testing service: $SERVICE_NAME in namespace: $NAMESPACE"

# Get service info
kubectl get service $SERVICE_NAME -n $NAMESPACE

# Get endpoints
echo -e "\nEndpoints:"
kubectl get endpoints $SERVICE_NAME -n $NAMESPACE

# Test DNS resolution
echo -e "\nDNS Resolution:"
kubectl run dns-test --image=busybox --rm -it --restart=Never -- \
  nslookup $SERVICE_NAME.$NAMESPACE.svc.cluster.local

# Test connectivity
echo -e "\nConnectivity Test:"
SERVICE_IP=$(kubectl get service $SERVICE_NAME -n $NAMESPACE -o jsonpath='{.spec.clusterIP}')
SERVICE_PORT=$(kubectl get service $SERVICE_NAME -n $NAMESPACE -o jsonpath='{.spec.ports[0].port}')

kubectl run curl-test --image=curlimages/curl --rm -it --restart=Never -- \
  curl -v http://$SERVICE_IP:$SERVICE_PORT

What I Learned

Mastering Kubernetes networking transformed my ability to build reliable, secure microservices:

Services Are the Foundation: Understanding that Services provide stable endpoints for ephemeral pods was my first "aha" moment. Pods come and go, but Services remain constant. Design with Services from the start.

Choose the Right Service Type: ClusterIP for internal services, LoadBalancer for cloud environments, NodePort sparingly (mainly for debugging), and Ingress for HTTP/HTTPS routing. Each has its place.

Ingress Controllers Are Powerful: Initially, I underestimated Ingress controllers. They're not just reverse proxies—they provide TLS termination, path-based routing, rate limiting, authentication, and much more. Learn your Ingress controller's annotations.

Network Policies Are Security: Don't run production without Network Policies. Start with default-deny and explicitly allow required traffic. This defense-in-depth approach has caught many potential issues.

DNS Just Works: Kubernetes DNS is incredibly reliable. Trust it, use Service names instead of IPs, and leverage the automatic DNS records for service discovery.

Debugging Takes Practice: Network issues can be frustrating, but systematic debugging—checking endpoints, testing DNS, verifying policies, examining CNI logs—always leads to the answer.

External Access Needs Planning: How external users access your services depends heavily on your environment (cloud vs on-premise) and requirements (HTTP vs TCP, TLS termination, etc.). Design your ingress strategy early.

Kubernetes networking seems complex at first, but it's built on solid principles that make sense once you understand them. With Services, Ingress, and Network Policies, you can build secure, scalable applications that communicate reliably. In the next articles, we'll explore how to configure these applications and add persistent storage.

PreviousPods and Workloads NextConfiguration and Secrets

Last updated 1 month ago

hashtagIntroduction

hashtagTable of Contents

hashtagKubernetes Networking Model

hashtagNetworking Principles

hashtagCNI Plugins

hashtagService Types and Use Cases

hashtagService Type Decision Tree

hashtagClusterIP Services

hashtagBasic ClusterIP Service

hashtagSession Affinity

hashtagMulti-Port Services

hashtagNamed Ports

hashtagNodePort Services

hashtagNodePort Service Example

hashtagNodePort with Custom Range

hashtagNodePort Best Practices

hashtagLoadBalancer Services

hashtagLoadBalancer Service Example

hashtagAWS Load Balancer Controller

hashtagMetalLB for Bare Metal

hashtagExternalName Services

hashtagExternalName Example

hashtagExternal Service with Endpoints

hashtagHeadless Services

hashtagHeadless Service Example

hashtagIngress Controllers

hashtagIngress Architecture

hashtagInstalling NGINX Ingress Controller

hashtagAlternative Ingress Controllers

hashtagIngress Resources

hashtagBasic Ingress

hashtagAdvanced Ingress with Multiple Hosts

hashtagPath-Based Routing

hashtagTLS/SSL Configuration

hashtagRate Limiting and Auth

hashtagDNS and Service Discovery

hashtagDNS Records

hashtagCoreDNS Configuration

hashtagTesting DNS Resolution

hashtagCustom DNS Configuration

hashtagNetwork Policies

hashtagDefault Deny All Traffic

hashtagAllow Specific Traffic

hashtagDatabase Network Policy

hashtagIP Block Rules

hashtagTroubleshooting Network Issues

hashtagDebugging Network Connectivity

hashtagCheck Service Endpoints

hashtagVerify Network Policies

hashtagCNI Plugin Issues

hashtagService Communication Test Script

hashtagWhat I Learned