Networking
Services, Ingress, Network Policies, and networking configuration for pod communication and external access.
Services
Service Types
ClusterIP Service
apiVersion: v1
kind: Service
metadata:
name: backend-service
spec:
type: ClusterIP
selector:
app: backend
ports:
- port: 80
targetPort: 8080
protocol: TCP
NodePort Service
apiVersion: v1
kind: Service
metadata:
name: nodeport-service
spec:
type: NodePort
selector:
app: web
ports:
- port: 80
targetPort: 8080
nodePort: 30080
protocol: TCP
LoadBalancer Service
apiVersion: v1
kind: Service
metadata:
name: loadbalancer-service
spec:
type: LoadBalancer
selector:
app: web
ports:
- port: 80
targetPort: 8080
protocol: TCP
loadBalancerSourceRanges:
- 192.168.1.0/24
ExternalName Service
apiVersion: v1
kind: Service
metadata:
name: external-service
spec:
type: ExternalName
externalName: external-database.example.com
ports:
- port: 5432
Service Operations
# Create service
kubectl create service clusterip my-service --tcp=80:8080
kubectl create service nodeport my-service --tcp=80:8080 --node-port=30080
kubectl create service loadbalancer my-service --tcp=80:8080
# Expose deployment as service
kubectl expose deployment nginx --port=80 --target-port=8080
kubectl expose deployment nginx --type=NodePort --port=80
# Get services
kubectl get services
kubectl get svc
kubectl get svc -o wide
# Describe service
kubectl describe service service-name
# Get service endpoints
kubectl get endpoints service-name
# Delete service
kubectl delete service service-name
Multi-Port Service
apiVersion: v1
kind: Service
metadata:
name: multi-port-service
spec:
selector:
app: multi-app
ports:
- name: http
port: 80
targetPort: 8080
protocol: TCP
- name: https
port: 443
targetPort: 8443
protocol: TCP
- name: metrics
port: 9090
targetPort: 9090
protocol: TCP
Headless Service
apiVersion: v1
kind: Service
metadata:
name: headless-service
spec:
clusterIP: None
selector:
app: database
ports:
- port: 5432
targetPort: 5432
Ingress
Basic Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: basic-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
Multi-Path Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: multi-path-ingress
spec:
rules:
- host: api.example.com
http:
paths:
- path: /v1
pathType: Prefix
backend:
service:
name: api-v1-service
port:
number: 80
- path: /v2
pathType: Prefix
backend:
service:
name: api-v2-service
port:
number: 80
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: frontend-service
port:
number: 80
TLS Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-ingress
spec:
tls:
- hosts:
- secure.example.com
secretName: tls-secret
rules:
- host: secure.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: secure-service
port:
number: 443
Ingress with Annotations
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: annotated-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
nginx.ingress.kubernetes.io/use-regex: 'true'
nginx.ingress.kubernetes.io/rate-limit: '100'
cert-manager.io/cluster-issuer: 'letsencrypt-prod'
spec:
tls:
- hosts:
- api.example.com
secretName: api-tls
rules:
- host: api.example.com
http:
paths:
- path: /api(/|$)(.*)
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80
Ingress Operations
# Get ingress
kubectl get ingress
kubectl get ing
kubectl get ing -o wide
# Describe ingress
kubectl describe ingress ingress-name
# Create ingress
kubectl apply -f ingress.yaml
# Delete ingress
kubectl delete ingress ingress-name
# Get ingress class
kubectl get ingressclass
Network Policies
Default Deny All
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Allow Specific Ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
Allow Specific Egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-database-egress
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
app: database
ports:
- protocol: TCP
port: 5432
- to: [] # Allow DNS
ports:
- protocol: UDP
port: 53
Namespace-based Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: namespace-policy
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: production
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 8080
Complex Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: complex-policy
spec:
podSelector:
matchLabels:
app: web-app
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: production
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 8080
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5432
- to: []
ports:
- protocol: UDP
port: 53
Network Policy Operations
# Get network policies
kubectl get networkpolicies
kubectl get netpol
# Describe network policy
kubectl describe networkpolicy policy-name
# Apply network policy
kubectl apply -f network-policy.yaml
# Delete network policy
kubectl delete networkpolicy policy-name
# Test network connectivity
kubectl run test-pod --image=busybox --rm -it -- wget -qO- http://service-name:port
DNS and Service Discovery
DNS Resolution
# Test DNS resolution from pod
kubectl run dns-test --image=busybox --rm -it -- nslookup kubernetes.default
# Test service DNS
kubectl run dns-test --image=busybox --rm -it -- nslookup service-name
kubectl run dns-test --image=busybox --rm -it -- nslookup service-name.namespace.svc.cluster.local
# Test external DNS
kubectl run dns-test --image=busybox --rm -it -- nslookup google.com
CoreDNS Configuration
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
data:
Corefile: |
.:53 {
errors
health {
lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
prometheus :9153
forward . /etc/resolv.conf {
max_concurrent 1000
}
cache 30
loop
reload
loadbalance
}
Load Balancing
Service Load Balancing
apiVersion: v1
kind: Service
metadata:
name: load-balanced-service
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
spec:
type: LoadBalancer
selector:
app: web
ports:
- port: 80
targetPort: 8080
sessionAffinity: ClientIP
sessionAffinityConfig:
clientIP:
timeoutSeconds: 300
Ingress Load Balancing
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: load-balanced-ingress
annotations:
nginx.ingress.kubernetes.io/load-balance: 'round_robin'
nginx.ingress.kubernetes.io/upstream-hash-by: '$request_uri'
nginx.ingress.kubernetes.io/affinity: 'cookie'
nginx.ingress.kubernetes.io/affinity-mode: 'persistent'
spec:
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
External Services
External Service with Endpoints
apiVersion: v1
kind: Service
metadata:
name: external-database
spec:
ports:
- port: 5432
targetPort: 5432
---
apiVersion: v1
kind: Endpoints
metadata:
name: external-database
subsets:
- addresses:
- ip: 192.168.1.100
- ip: 192.168.1.101
ports:
- port: 5432
External Service with IP
apiVersion: v1
kind: Service
metadata:
name: external-service
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 80
externalIPs:
- 192.168.1.100
Port Forwarding
Port Forward Commands
# Forward pod port to local
kubectl port-forward pod/pod-name 8080:80
kubectl port-forward pod/pod-name 8080:80 --address=0.0.0.0
# Forward service port to local
kubectl port-forward service/service-name 8080:80
kubectl port-forward svc/service-name 8080:80
# Forward deployment port to local
kubectl port-forward deployment/deployment-name 8080:80
# Multiple port forwarding
kubectl port-forward pod/pod-name 8080:80 8443:443
# Background port forwarding
kubectl port-forward pod/pod-name 8080:80 &
Troubleshooting Network Issues
Network Debugging Commands
# Test pod connectivity
kubectl run test-pod --image=busybox --rm -it -- ping pod-ip
kubectl run test-pod --image=busybox --rm -it -- wget -qO- http://service-name
# Check service endpoints
kubectl get endpoints service-name
kubectl describe endpoints service-name
# Check DNS resolution
kubectl run dns-test --image=busybox --rm -it -- nslookup service-name
kubectl run dns-test --image=busybox --rm -it -- dig service-name
# Network troubleshooting pod
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: netshoot
spec:
containers:
- name: netshoot
image: nicolaka/netshoot
command: ["/bin/bash"]
args: ["-c", "while true; do sleep 30; done;"]
EOF
# Access troubleshooting pod
kubectl exec -it netshoot -- bash
# Inside netshoot pod
# Test connectivity: ping, curl, wget, telnet, nmap
# Check DNS: nslookup, dig
# Check routes: ip route, netstat
# Check ports: ss, netstat
Network Policy Testing
# Test network policy enforcement
kubectl run policy-test --image=busybox --rm -it -- wget -qO- --timeout=5 http://target-service
# Check if traffic is blocked
kubectl run blocked-test --image=busybox --rm -it -- nc -zv target-pod-ip target-port
# Allow specific traffic temporarily
kubectl label pod source-pod test=allowed
Quick Reference
Service Commands
kubectl expose deployment name --port=80- Expose deploymentkubectl get svc- List serviceskubectl describe svc name- Service detailskubectl get endpoints- List service endpoints
Ingress Commands
kubectl get ingress- List ingress resourceskubectl describe ingress name- Ingress detailskubectl get ingressclass- List ingress classes
Network Policy Commands
kubectl get networkpolicies- List network policieskubectl describe netpol name- Network policy details
Common Service Types
- ClusterIP - Internal cluster access only
- NodePort - External access via node IP:port
- LoadBalancer - Cloud provider load balancer
- ExternalName - DNS alias for external service
Troubleshooting Tools
# Quick connectivity test
kubectl run test --image=busybox --rm -it -- wget -qO- http://service:port
# DNS resolution test
kubectl run test --image=busybox --rm -it -- nslookup service-name
# Port forwarding for debugging
kubectl port-forward svc/service-name 8080:80
# Network troubleshooting pod
kubectl run netshoot --image=nicolaka/netshoot --rm -it -- bash