Source from repo
Kubernetes Specialist

Deploy and manage Kubernetes workloads: manifests, RBAC, Helm charts, service mesh, GitOps, and troubleshooting.
jeffallanGitHub jeffallanSource repo Original GitHub link Publisher page
Files
Skill
n/a
Size
129.5 KB
Entrypoint
SKILL.md
Format
git-repo
Open file
references/networking.md

Syntax-highlighted preview of this file as included in the skill package.
Rendered Source
markdown448 linesFree
references/networking.md
1# Kubernetes Networking
2 
3## Service Types
4 
5### ClusterIP (Default)
6 
7```yaml
8apiVersion: v1
9kind: Service
10metadata:
11  name: web-app-service
12  namespace: production
13  labels:
14    app: web-app
15spec:
16  type: ClusterIP
17  selector:
18    app: web-app
19    tier: frontend
20  ports:
21  - name: http
22    port: 80
23    targetPort: 8080
24    protocol: TCP
25  - name: metrics
26    port: 9090
27    targetPort: metrics
28    protocol: TCP
29  sessionAffinity: ClientIP
30  sessionAffinityConfig:
31    clientIP:
32      timeoutSeconds: 3600
33```
34 
35### Headless Service (StatefulSet)
36 
37```yaml
38apiVersion: v1
39kind: Service
40metadata:
41  name: postgres-headless
42  namespace: database
43spec:
44  clusterIP: None  # Headless
45  selector:
46    app: postgres
47  ports:
48  - name: postgres
49    port: 5432
50    targetPort: 5432
51```
52 
53### NodePort
54 
55```yaml
56apiVersion: v1
57kind: Service
58metadata:
59  name: external-app
60  namespace: production
61spec:
62  type: NodePort
63  selector:
64    app: external-app
65  ports:
66  - name: http
67    port: 80
68    targetPort: 8080
69    nodePort: 30080  # Range: 30000-32767
70    protocol: TCP
71```
72 
73### LoadBalancer
74 
75```yaml
76apiVersion: v1
77kind: Service
78metadata:
79  name: public-web
80  namespace: production
81  annotations:
82    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
83    service.beta.kubernetes.io/aws-load-balancer-internal: "false"
84spec:
85  type: LoadBalancer
86  selector:
87    app: web-app
88  ports:
89  - name: http
90    port: 80
91    targetPort: 8080
92  - name: https
93    port: 443
94    targetPort: 8443
95  loadBalancerSourceRanges:
96  - 203.0.113.0/24  # Restrict source IPs
97```
98 
99## Ingress Resources
100 
101### NGINX Ingress
102 
103```yaml
104apiVersion: networking.k8s.io/v1
105kind: Ingress
106metadata:
107  name: web-ingress
108  namespace: production
109  annotations:
110    nginx.ingress.kubernetes.io/rewrite-target: /
111    nginx.ingress.kubernetes.io/ssl-redirect: "true"
112    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
113    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
114    nginx.ingress.kubernetes.io/rate-limit: "100"
115    cert-manager.io/cluster-issuer: "letsencrypt-prod"
116spec:
117  ingressClassName: nginx
118  tls:
119  - hosts:
120    - www.example.com
121    - api.example.com
122    secretName: example-tls
123  rules:
124  - host: www.example.com
125    http:
126      paths:
127      - path: /
128        pathType: Prefix
129        backend:
130          service:
131            name: frontend-service
132            port:
133              number: 80
134  - host: api.example.com
135    http:
136      paths:
137      - path: /v1
138        pathType: Prefix
139        backend:
140          service:
141            name: api-service
142            port:
143              number: 8080
144      - path: /v2
145        pathType: Prefix
146        backend:
147          service:
148            name: api-v2-service
149            port:
150              number: 8080
151```
152 
153### Path-Based Routing
154 
155```yaml
156apiVersion: networking.k8s.io/v1
157kind: Ingress
158metadata:
159  name: app-ingress
160  namespace: production
161spec:
162  ingressClassName: nginx
163  rules:
164  - host: app.example.com
165    http:
166      paths:
167      - path: /api
168        pathType: Prefix
169        backend:
170          service:
171            name: backend-api
172            port:
173              number: 8080
174      - path: /
175        pathType: Prefix
176        backend:
177          service:
178            name: frontend
179            port:
180              number: 80
181```
182 
183## NetworkPolicy (Zero Trust)
184 
185### Default Deny All
186 
187```yaml
188apiVersion: networking.k8s.io/v1
189kind: NetworkPolicy
190metadata:
191  name: default-deny-all
192  namespace: production
193spec:
194  podSelector: {}
195  policyTypes:
196  - Ingress
197  - Egress
198```
199 
200### Allow Frontend to Backend
201 
202```yaml
203apiVersion: networking.k8s.io/v1
204kind: NetworkPolicy
205metadata:
206  name: frontend-to-backend
207  namespace: production
208spec:
209  podSelector:
210    matchLabels:
211      tier: backend
212  policyTypes:
213  - Ingress
214  ingress:
215  - from:
216    - podSelector:
217        matchLabels:
218          tier: frontend
219    ports:
220    - protocol: TCP
221      port: 8080
222```
223 
224### Backend to Database
225 
226```yaml
227apiVersion: networking.k8s.io/v1
228kind: NetworkPolicy
229metadata:
230  name: backend-to-database
231  namespace: production
232spec:
233  podSelector:
234    matchLabels:
235      app: postgres
236  policyTypes:
237  - Ingress
238  ingress:
239  - from:
240    - podSelector:
241        matchLabels:
242          tier: backend
243    - namespaceSelector:
244        matchLabels:
245          name: production
246    ports:
247    - protocol: TCP
248      port: 5432
249```
250 
251### Allow DNS and External HTTPS
252 
253```yaml
254apiVersion: networking.k8s.io/v1
255kind: NetworkPolicy
256metadata:
257  name: allow-dns-and-https
258  namespace: production
259spec:
260  podSelector:
261    matchLabels:
262      tier: backend
263  policyTypes:
264  - Egress
265  egress:
266  - to:
267    - namespaceSelector:
268        matchLabels:
269          name: kube-system
270    ports:
271    - protocol: UDP
272      port: 53
273  - to:
274    - namespaceSelector: {}
275    ports:
276    - protocol: TCP
277      port: 443
278```
279 
280### Cross-Namespace Communication
281 
282```yaml
283apiVersion: networking.k8s.io/v1
284kind: NetworkPolicy
285metadata:
286  name: allow-monitoring
287  namespace: production
288spec:
289  podSelector:
290    matchLabels:
291      app: web-app
292  policyTypes:
293  - Ingress
294  ingress:
295  - from:
296    - namespaceSelector:
297        matchLabels:
298          name: monitoring
299      podSelector:
300        matchLabels:
301          app: prometheus
302    ports:
303    - protocol: TCP
304      port: 8080
305```
306 
307## DNS Configuration
308 
309### Service DNS Names
310 
311```yaml
312# Within same namespace
313http://web-app-service
314 
315# Cross-namespace
316http://web-app-service.production.svc.cluster.local
317 
318# Headless service (StatefulSet)
319postgres-0.postgres-headless.database.svc.cluster.local
320postgres-1.postgres-headless.database.svc.cluster.local
321postgres-2.postgres-headless.database.svc.cluster.local
322```
323 
324### Custom DNS Policy
325 
326```yaml
327apiVersion: v1
328kind: Pod
329metadata:
330  name: custom-dns
331spec:
332  dnsPolicy: None
333  dnsConfig:
334    nameservers:
335    - 8.8.8.8
336    - 8.8.4.4
337    searches:
338    - production.svc.cluster.local
339    - svc.cluster.local
340    - cluster.local
341    options:
342    - name: ndots
343      value: "2"
344  containers:
345  - name: app
346    image: myapp:latest
347```
348 
349## Service Mesh (Istio Example)
350 
351### VirtualService
352 
353```yaml
354apiVersion: networking.istio.io/v1beta1
355kind: VirtualService
356metadata:
357  name: web-app-routes
358  namespace: production
359spec:
360  hosts:
361  - web-app-service
362  http:
363  - match:
364    - headers:
365        canary:
366          exact: "true"
367    route:
368    - destination:
369        host: web-app-service
370        subset: v2
371  - route:
372    - destination:
373        host: web-app-service
374        subset: v1
375      weight: 90
376    - destination:
377        host: web-app-service
378        subset: v2
379      weight: 10
380```
381 
382### DestinationRule
383 
384```yaml
385apiVersion: networking.istio.io/v1beta1
386kind: DestinationRule
387metadata:
388  name: web-app-destination
389  namespace: production
390spec:
391  host: web-app-service
392  trafficPolicy:
393    connectionPool:
394      tcp:
395        maxConnections: 100
396      http:
397        http1MaxPendingRequests: 50
398        http2MaxRequests: 100
399    loadBalancer:
400      simple: LEAST_REQUEST
401  subsets:
402  - name: v1
403    labels:
404      version: v1.0.0
405  - name: v2
406    labels:
407      version: v2.0.0
408```
409 
410## EndpointSlice (Modern Alternative to Endpoints)
411 
412```yaml
413apiVersion: discovery.k8s.io/v1
414kind: EndpointSlice
415metadata:
416  name: web-app-abc123
417  namespace: production
418  labels:
419    kubernetes.io/service-name: web-app-service
420addressType: IPv4
421ports:
422- name: http
423  protocol: TCP
424  port: 8080
425endpoints:
426- addresses:
427  - "10.244.1.5"
428  conditions:
429    ready: true
430  nodeName: node-1
431- addresses:
432  - "10.244.2.7"
433  conditions:
434    ready: true
435  nodeName: node-2
436```
437 
438## Best Practices
439 
4401. **Default Deny**: Start with deny-all NetworkPolicy, then allow specific traffic
4412. **Least Privilege**: Only open required ports and protocols
4423. **Service Selection**: Use ClusterIP by default, LoadBalancer sparingly
4434. **DNS Names**: Use service DNS names, avoid hardcoded IPs
4445. **TLS Termination**: Terminate TLS at Ingress when possible
4456. **Health Checks**: Configure proper health check paths
4467. **Rate Limiting**: Apply rate limits at Ingress level
4478. **Monitoring**: Expose metrics endpoints for Prometheus
448
Preparing the source view

Kubernetes Specialist

references/networking.md
