Networking
Understanding Kubernetes networking: Services, Ingress, DNS, and network policies for secure communication.
Services
Services provide stable networking endpoints for ephemeral pods. They abstract away pod IPs and provide load balancing.
ClusterIP (Default)
Exposes service on cluster-internal IP
Use Cases
- • Internal microservice communication
- • Database access
- • Backend services
Characteristics
- • Not accessible from outside
- • Most common type
- • Uses internal DNS
NodePort
Exposes service on each node's IP at a static port
Use Cases
- • Development/testing
- • Direct node access needed
- • Legacy applications
Characteristics
- • Port range: 30000-32767
- • Accessible via any node IP
- • Less secure than LoadBalancer
LoadBalancer
Creates external load balancer (cloud provider)
Use Cases
- • Production web apps
- • Public APIs
- • External traffic
Characteristics
- • Cloud provider integration
- • External IP assignment
- • Production-grade
ExternalName
Maps service to external DNS name
Use Cases
- • External database
- • Third-party APIs
- • Migration scenarios
Characteristics
- • CNAME DNS record
- • No proxying
- • Simple redirection
Ingress
Ingress manages external HTTP/HTTPS access to services, providing routing rules, SSL/TLS termination, and name-based virtual hosting.
Key Features
- Path-based routing: Route /api to api-service, /web to web-service
- Host-based routing: Route api.example.com vs www.example.com to different services
- SSL/TLS termination: Handle HTTPS at ingress level
- URL rewriting: Modify paths before forwarding
- Authentication: Basic auth, OAuth integration
- Rate limiting: Protect services from abuse
Popular Ingress Controllers
NGINX Ingress
Most popular, feature-rich, production-proven
Traefik
Modern, automatic service discovery, built-in dashboard
HAProxy Ingress
High performance, enterprise features
Istio Gateway
Service mesh integration, advanced traffic management
Network Policies
Network policies control traffic flow between pods at the IP address or port level, implementing a firewall for your cluster.
Policy Types
- Ingress policies: Control incoming traffic to pods
- Egress policies: Control outgoing traffic from pods
- Pod selector: Target specific pods by labels
- Namespace selector: Allow/deny traffic from specific namespaces
- IP blocks: Allow/deny traffic from CIDR ranges
Security Best Practices
- Default deny: Start with deny-all policy, then explicitly allow needed traffic
- Namespace isolation: Prevent cross-namespace communication by default
- Least privilege: Only allow necessary connections
- CNI requirement: Requires CNI plugin that supports NetworkPolicy (Calico, Cilium, Weave)
DNS in Kubernetes
CoreDNS
CoreDNS provides cluster DNS service, enabling service discovery via DNS names.
DNS Resolution Patterns:
- • service-name → same namespace
- • service-name.namespace → specific namespace
- • service-name.namespace.svc.cluster.local → FQDN
- • pod-ip.namespace.pod.cluster.local → pod DNS
Pods automatically use cluster DNS for service discovery, making inter-service communication simple and reliable.
Key Takeaways
- Services provide stable endpoints for dynamic pod IPs with built-in load balancing
- Ingress controllers manage external HTTP/HTTPS access with SSL/TLS and routing
- Network policies implement pod-level firewall rules for zero-trust security
- CoreDNS enables automatic service discovery via standard DNS queries
- Choose the right service type and ingress controller for your use case