Kubernetes Networking

Kubernetes Networking #

Kubernetes networking connects Pods, Services, and external users through a layered model. The key is to separate internal service discovery from external traffic entry and security boundaries.

Practice path: The Kubernetes Deep Dive: Minikube to AKS/EKS shows how local ingress and managed cloud load balancers differ in real deployments.

Networking layers #

  • Pod network: Every Pod receives an IP address from the cluster network.
  • Service network: Services provide stable virtual IPs and load balancing for Pods selected by labels.
  • Ingress or Gateway: HTTP routing from outside the cluster to internal Services.
  • NetworkPolicy: Namespace- and label-based traffic allow rules for east-west security.
  • Cloud load balancer: Managed Kubernetes platforms map Services or ingress controllers to provider load balancers.

Service types #

  • ClusterIP: Internal-only service discovery for most app-to-app communication.
  • NodePort: Opens a port on each node; useful for limited cases and often hidden behind another load balancer.
  • LoadBalancer: Asks the cloud provider to create an external load balancer.
  • ExternalName: Creates a DNS alias to an external service.

Ingress and Gateway patterns #

Use Ingress or Gateway resources when many HTTP routes need shared TLS termination, host/path routing, and centralized edge controls. Standardize controller choice early, because annotations, load balancer behavior, and TLS integration vary by provider.

Network policy baseline #

Start with a default-deny posture for sensitive namespaces, then explicitly allow:

  • ingress from approved frontend, gateway, or job namespaces
  • egress to required APIs, databases, DNS, and observability endpoints
  • platform traffic required for health checks and metrics scraping

Troubleshooting checklist #

  1. Confirm Pod readiness and labels.
  2. Confirm Service selectors match Pod labels.
  3. Test DNS resolution from a debug Pod.
  4. Check ingress controller events and cloud load balancer status.
  5. Review NetworkPolicy objects when traffic works in one namespace but not another.