Kubernetes Networking

Kubernetes networking — services, DNS resolution, ingress controllers, network policies, and debugging.

Services

Create and inspect services

kubectl get svc -A -o wide
kubectl describe svc nginx-svc
kubectl get endpoints nginx-svc         # backend pod IPs

Service types

# ClusterIP (default) — internal only
kubectl expose deploy/nginx --port=80 --target-port=80 --type=ClusterIP

# NodePort — accessible on every node at a static port
kubectl expose deploy/nginx --port=80 --target-port=80 --type=NodePort

# LoadBalancer — cloud/metallb assigns external IP
kubectl expose deploy/nginx --port=80 --target-port=80 --type=LoadBalancer

DNS Resolution

Verify in-cluster DNS

kubectl run dnstest --rm -it --image=busybox:1.36 --restart=Never -- nslookup nginx-svc
kubectl run dnstest --rm -it --image=busybox:1.36 --restart=Never -- nslookup nginx-svc.default.svc.cluster.local

Check CoreDNS

kubectl get pods -n kube-system -l k8s-app=kube-dns
kubectl logs -n kube-system -l k8s-app=kube-dns

Ingress

List and inspect ingress resources

kubectl get ingress -A
kubectl describe ingress my-ingress

Create ingress via manifest (Traefik/Nginx)

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web-ingress
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
  rules:
  - host: app.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx-svc
            port:
              number: 80

Network Policies

Restrict traffic between pods

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  # No ingress rules = deny all incoming traffic

Verify network policy

kubectl get networkpolicy -A
kubectl describe networkpolicy deny-all-ingress

Port Forwarding and Debugging

Forward ports for local access

kubectl port-forward svc/grafana 3000:80 &
kubectl port-forward deploy/api 8080:8080

Debug networking from inside the cluster

kubectl run netshoot --rm -it --image=nicolaka/netshoot --restart=Never -- bash
# Inside: curl, dig, tcpdump, iperf, ss, ip all available

Troubleshooting

Common diagnostic commands

kubectl get svc,endpoints,pods -o wide       # correlate service to pods
kubectl get events --field-selector reason=FailedScheduling
kubectl describe pod <pod> | awk '/Conditions:/,/Volumes:/'   # status conditions