How Networking Works in Kubernetes: Basics and Examples
In Kubernetes, networking allows
Pods to communicate with each other and external systems using a flat network where every Pod gets its own IP address. Services provide stable IPs and DNS names to access groups of Pods, while Network Policies control traffic flow between Pods.Syntax
Kubernetes networking involves several key resources:
- Pod IPs: Each Pod gets a unique IP address.
- Service: Defines a stable endpoint to access Pods.
- NetworkPolicy: Controls allowed traffic between Pods.
Basic YAML syntax for a Service and NetworkPolicy is shown below.
yaml
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
app: my-app
ports:
- protocol: TCP
port: 80
targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-same-namespace
spec:
podSelector: {}
ingress:
- from:
- podSelector: {}
ports:
- protocol: TCP
port: 80Example
This example creates a simple Service to expose Pods labeled app: my-app on port 80, forwarding to container port 8080. It also defines a NetworkPolicy allowing traffic only from Pods in the same namespace on port 80.
yaml
apiVersion: v1
kind: Pod
metadata:
name: my-pod
labels:
app: my-app
spec:
containers:
- name: my-container
image: nginx
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
app: my-app
ports:
- protocol: TCP
port: 80
targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-same-namespace
spec:
podSelector: {}
ingress:
- from:
- podSelector: {}
ports:
- protocol: TCP
port: 80Output
pod/my-pod created
service/my-service created
networkpolicy.networking.k8s.io/allow-same-namespace created
Common Pitfalls
Common mistakes in Kubernetes networking include:
- Assuming Pods can be accessed by IP outside the cluster (Pod IPs are internal).
- Not creating a Service to expose Pods, making them unreachable.
- Misconfiguring NetworkPolicies that block all traffic unintentionally.
- Forgetting to label Pods correctly so Services can select them.
Always verify Pod labels and NetworkPolicy rules carefully.
yaml
apiVersion: v1
kind: Service
metadata:
name: broken-service
spec:
selector:
app: wrong-label
ports:
- protocol: TCP
port: 80
targetPort: 8080
---
# Correct selector
apiVersion: v1
kind: Service
metadata:
name: fixed-service
spec:
selector:
app: my-app
ports:
- protocol: TCP
port: 80
targetPort: 8080Quick Reference
Kubernetes Networking Cheat Sheet:
| Concept | Description |
|---|---|
| Pod IP | Unique IP for each Pod, internal to cluster |
| Service | Stable IP and DNS to access Pods |
| NetworkPolicy | Rules to allow or block traffic between Pods |
| Cluster Network | Flat network where all Pods can reach each other by default |
| Concept | Description |
|---|---|
| Pod IP | Unique IP for each Pod, internal to cluster |
| Service | Stable IP and DNS to access Pods |
| NetworkPolicy | Rules to allow or block traffic between Pods |
| Cluster Network | Flat network where all Pods can reach each other by default |
Key Takeaways
Every Pod in Kubernetes gets its own unique IP address within the cluster.
Services provide stable IPs and DNS names to access Pods reliably.
NetworkPolicies control which Pods can communicate, enhancing security.
Pod IPs are internal; use Services to expose Pods outside the cluster.
Correct Pod labeling is essential for Services and NetworkPolicies to work.