Docs
/
Docker Kubernetes
Chapter 11
11 — Services & Networking in Kubernetes
Why Services?
Pods are ephemeral — they get new IPs when restarted. A Service provides a stable endpoint.
Without Service: With Service:
Pod IP: 10.0.1.5 (changes!) Service: api-svc → always reachable
Routes to healthy pods automatically
Service Types
| Type | Access | Use Case |
|---|---|---|
| ClusterIP | Internal only | Service-to-service communication |
| NodePort | External via node IP:port | Development, simple external access |
| LoadBalancer | External via cloud LB | Production external access |
| ExternalName | DNS alias | Map to external service |
ClusterIP (Default)
apiVersion: v1
kind: Service
metadata:
name: api-svc
spec:
type: ClusterIP
selector:
app: api # Routes to pods with label app=api
ports:
- port: 80 # Service port
targetPort: 3000 # Container port
Other pods access via: http://api-svc:80 or http://api-svc.namespace.svc.cluster.local
NodePort
apiVersion: v1
kind: Service
metadata:
name: api-svc
spec:
type: NodePort
selector:
app: api
ports:
- port: 80
targetPort: 3000
nodePort: 30080 # 30000-32767
Access via: http://<any-node-ip>:30080
LoadBalancer
apiVersion: v1
kind: Service
metadata:
name: api-svc
spec:
type: LoadBalancer
selector:
app: api
ports:
- port: 80
targetPort: 3000
Cloud provider provisions an external load balancer automatically.
Ingress
Route HTTP/HTTPS traffic to services based on host/path rules. Single entry point for multiple services.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
tls:
- hosts:
- myapp.com
secretName: tls-secret
rules:
- host: myapp.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-svc
port:
number: 80
- path: /
pathType: Prefix
backend:
service:
name: frontend-svc
port:
number: 80
Internet → Ingress Controller → Ingress Rules
/api → api-svc → api pods
/ → frontend-svc → frontend pods
NetworkPolicy
Control pod-to-pod communication (firewall rules).
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-policy
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- port: 3000
egress:
- to:
- podSelector:
matchLabels:
app: db
ports:
- port: 5432
This allows: frontend → api:3000 and api → db:5432. All other traffic to/from api pods is denied.
DNS in Kubernetes
Service DNS: <service>.<namespace>.svc.cluster.local
Pod DNS: <pod-ip-dashed>.<namespace>.pod.cluster.local
Examples:
api-svc.default.svc.cluster.local
api-svc.production.svc.cluster.local
Short form (same namespace): api-svc
Cross-namespace: api-svc.production
Key Takeaways
- ClusterIP for internal services, LoadBalancer for external production traffic
- Ingress consolidates external access — route by host/path, handle TLS
- Pods communicate via Service DNS names (e.g.,
api-svc:80) - Use NetworkPolicies to restrict pod-to-pod traffic (zero-trust)
- Services use label selectors to find target pods