Services & Networking
Pods get ephemeral IPs that change on restart. Services provide a stable endpoint backed by a selector.
Service Types
ClusterIP (default)
Internal-only virtual IP. Only reachable within the cluster.
apiVersion: v1
kind: Service
metadata:
name: backend
spec:
selector:
app: backend
ports:
- port: 80
targetPort: 8080
NodePort
Exposes the service on each node's IP at a static port (30000–32767).
LoadBalancer
Provisions a cloud load balancer. Implies NodePort + ClusterIP.
ExternalName
DNS alias to an external FQDN — no proxying, just CNAME.
Ingress
An Ingress manages external HTTP/HTTPS routing to multiple Services. An Ingress Controller (nginx, Traefik, HAProxy) must be installed to process Ingress rules.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
spec:
rules:
- host: app.example.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80
DNS in Kubernetes
CoreDNS runs in kube-system and resolves:
<service>.<namespace>.svc.cluster.local<pod-ip>.<namespace>.pod.cluster.local
From within the same namespace, just <service> works.
Network Policies
By default, all pods can talk to all pods. NetworkPolicy restricts this:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Requires a CNI plugin that enforces policies (Calico, Cilium, Weave).
CNI (Container Network Interface)
CNI plugins handle Pod networking:
| Plugin | Notable features |
|---|---|
| Flannel | Simple overlay, L3 routing |
| Calico | NetworkPolicy support, BGP routing |
| Cilium | eBPF-based, L7 visibility |
| Weave | Mesh networking, encryption |
Summary
- Services abstract Pod IPs into stable endpoints
- ClusterIP → internal; NodePort → node-level; LoadBalancer → cloud LB
- Ingress routes external HTTP traffic via an Ingress Controller
- CoreDNS provides DNS resolution; NetworkPolicy restricts traffic