← Back to Kubernetes Mastery
Intermediate14 min read

Services & Networking

Expose applications with Kubernetes services — ClusterIP, NodePort, LoadBalancer, Ingress, and network policies for secure communication.

Service Types

Services provide stable network endpoints for pods. ClusterIP (default) exposes the service on an internal IP — reachable only within the cluster. NodePort exposes on each node IP at a static port. LoadBalancer provisions an external load balancer in cloud environments.

Services use selectors to match pod labels. Traffic to a service IP is load-balanced across matching pods by kube-proxy.

  • ClusterIP is for internal communication between services
  • NodePort exposes on ports 30000-32767 by default
  • LoadBalancer requires cloud provider integration (EKS, GKE, AKS)
apiVersion: v1
kind: Service
metadata:
  name: web-service
spec:
  type: ClusterIP
  selector:
    app: web
  ports:
    - port: 80
      targetPort: 3000

Service Discovery

Pods discover services via DNS. Kubernetes DNS (CoreDNS) creates records: service-name.namespace.svc.cluster.local. Short names work within the same namespace — curl http://api reaches the api service.

Environment variables are also injected but DNS is preferred. Headless services (clusterIP: None) return individual pod IPs for direct pod-to-pod communication.

# DNS resolution within cluster
# Full: web-service.default.svc.cluster.local
# Same namespace: web-service
# Cross-namespace: api.staging.svc.cluster.local

# Headless service for StatefulSets
spec:
  clusterIP: None
  selector:
    app: database

Ingress

Ingress routes external HTTP/HTTPS traffic to services based on host and path rules. An Ingress controller (nginx, Traefik, AWS ALB) implements the rules. Ingress handles TLS termination, path-based routing, and virtual hosts.

One LoadBalancer Ingress replaces multiple LoadBalancer services — reducing cost and simplifying external access management.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
    - host: app.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web-service
                port:
                  number: 80
  tls:
    - hosts: [app.example.com]
      secretName: tls-secret

Network Policies

NetworkPolicy controls traffic between pods. By default, all pods can communicate. Policies restrict ingress and egress by pod labels, namespaces, and IP blocks.

Implement default-deny policies and explicitly allow required traffic. This limits blast radius if a pod is compromised.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: api-policy
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes: [Ingress, Egress]
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: web
      ports:
        - port: 3000

Debugging Networking

Debug connectivity with kubectl exec and curl from inside pods. Check service endpoints with kubectl get endpoints. Verify DNS with nslookup from a debug pod.

Common issues: selector mismatch (service finds no pods), port mismatch (targetPort vs containerPort), and network policies blocking traffic.

kubectl run debug --rm -it --image=nicolaka/netshoot -- sh
nslookup web-service
curl http://web-service:80/health
kubectl get endpoints web-service

Get In Touch

Ready to discuss your next project? Drop me a message.