Module Review: Networking

Key Takeaways

  1. Services are Abstractions: They provide a stable IP and DNS name for dynamic Pods. ClusterIP uses virtual IPs managed by iptables/IPVS.
  2. DNS is Critical: Every Service gets a DNS record (<svc>.<ns>.svc.cluster.local). Pods use CoreDNS to resolve these to ClusterIPs.
  3. Ingress for L7: Donโ€™t use LoadBalancer for everything. Use Ingress (Nginx/Traefik) for Host/Path-based routing and TLS termination.
  4. CNI does the Wiring: Kubernetes offloads networking to CNI plugins. Flannel (Overlay), Calico (BGP), and Cilium (eBPF) are popular choices.

  5. Zero Trust with Policies: By default, all Pods can talk to each other. Use NetworkPolicy to enforce a default-deny stance.

Module Review: Networking

[!NOTE] This module explores the core principles of Module Review: Networking, deriving solutions from first principles and hardware constraints to build world-class, production-ready expertise.

1. Flashcards

What component implements Service VIPs (ClusterIP)?
kube-proxy (using iptables or IPVS mode).
How does a Pod find the IP of a Service named 'db'?
Via DNS lookup (CoreDNS). It resolves db.namespace.svc... to the ClusterIP.
What is the difference between LoadBalancer and Ingress?
LoadBalancer is L4 (TCP/UDP, one per service). Ingress is L7 (HTTP/HTTPS, routing rules, one LB for many services).
Does Kubernetes implement Pod networking natively?
No. It relies on CNI (Container Network Interface) plugins like Flannel or Calico.
Why might a NetworkPolicy not work?
If the underlying CNI plugin (like basic Flannel) does not support network policy enforcement.

2. Cheat Sheet

Resource Kind Key Fields Use Case
ClusterIP Service type: ClusterIP, selector Internal traffic between microservices.
NodePort Service type: NodePort, nodePort Quick debug access, external access on bare metal.
LoadBalancer Service type: LoadBalancer Cloud-native external access (AWS ELB, GCP LB).
Ingress Ingress rules, host, paths, tls HTTP/HTTPS routing, SSL termination, Virtual Hosting.
Policy NetworkPolicy podSelector, ingress, egress Firewall rules, security segmentation.

3. Quick Revision

  • ClusterIP: Virtual IP, iptables, internal only.
  • NodePort: 30000-32767, open on every node.
  • Ingress: Reverse proxy, L7 routing, saves money.
  • CNI: Creates eth0, assigns IP, connects to bridge.
  • NetworkPolicy: Whitelist traffic. Default deny is best practice.

Kubernetes Glossary