Services & Networking

Pods are ephemeral and their IPs change, so you never talk to a Pod directly. A Service gives a stable name and IP that load-balances across Pods matched by labels. ClusterIP is internal-only, NodePort opens a port on every node, LoadBalancer provisions an external load balancer.

• Service selects Pods by label and load-balances across them.
• ClusterIP (internal) → NodePort (node port) → LoadBalancer (external).
• A Service's ClusterIP is stable for its whole life.

Every Service gets a DNS name inside the cluster, so apps find each other by name, not IP. Same namespace uses the short name; across namespaces use service.namespace. This is how microservices locate one another.

• Same namespace: http://web. Cross-namespace: http://web.other-ns.
• Full form: service.namespace.svc.cluster.local.
• DNS is provided by CoreDNS in the cluster.

By default every Pod can talk to every other Pod. A NetworkPolicy locks that down, it specifies which Pods may send traffic to (ingress) or receive from (egress) a selected set of Pods. This is how you isolate workloads.

• Default is allow-all; a policy selecting a Pod flips it to default-deny for that direction.
• Rules match by podSelector, namespaceSelector, or ipBlock.
• Requires a CNI plugin that enforces policies (e.g. Calico).

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: { name: default-deny-ingress }
spec:
  podSelector: {}              # selects ALL pods in the namespace
  policyTypes: ["Ingress"]     # no ingress rules = deny all inbound

A Service exposes one app; Ingress routes external HTTP/HTTPS to many Services by hostname and path, behind one entry point. An Ingress controller (like nginx) does the routing; the Ingress object is just the rules.

• Routes by host and path to backend Services.
• Needs an Ingress controller running to take effect.
• Handles TLS termination via a referenced Secret.