Kubernetes Networking: Services, Ingress, and NetworkPolicy
You will expose an app through an Ingress and lock down pod-to-pod traffic with a default-deny NetworkPolicy. By the end external users reach your service while only authorized pods can talk to the backend.
Learning Objectives
- Compare ClusterIP, NodePort, and Ingress for exposure.
- Route external traffic via an Ingress controller.
- Enforce default-deny with NetworkPolicy.
- Time: ~4 hours · Difficulty: Advanced · Prereqs: a cluster with an Ingress controller and a CNI that supports policy.
Architecture Overview
graph LR
U[User] -->|443| Ing[Ingress controller]
Ing -->|host/path| Svc[Service]
Svc --> API[api pods]
API -->|policy allow| DB[db pods]
Other[other pods] -. default deny .- DB
Environment Setup
You will need: a cluster, an Ingress controller (ingress-nginx), and a policy-capable CNI (Calico/Cilium).
Before you begin: the default cluster allows all pod traffic until you add a policy.
Step-by-Step Execution
01
Expose a service internally
kubectl expose deploy web --port 80 --target-port 80 --name web02
Route external traffic with Ingress
# ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata: { name: web }
spec:
rules:
- host: web.lab.tyfsadik.org
http:
paths:
- path: /
pathType: Prefix
backend: { service: { name: web, port: { number: 80 } } }
03
Apply a default-deny policy
Default-deny then explicit-allow is the zero-trust posture for pod traffic.
kubectl apply -f default-deny.yaml && kubectl apply -f allow-api-to-db.yamlProgress So Far
graph LR
A[01 Service] -->|done| B[02 Ingress]
B -->|done| C[03 NetworkPolicy]
style A fill:#1a4a1a,stroke:#00ff00,color:#fff
style B fill:#1a4a1a,stroke:#00ff00,color:#fff
style C fill:#1a4a1a,stroke:#00ff00,color:#fff
Testing & Validation
curl -H 'Host: web.lab.tyfsadik.org' http://INGRESS_IP/ ; kubectl exec other -- nc -zv db 5432 || echo deniedExternal access through the Ingress should succeed, while a non-authorized pod reaching the DB should print denied. That confirms exposure plus segmentation.
Troubleshooting
- Ingress 404: the host/path rule must match the request Host header.
- Policy has no effect: your CNI must support NetworkPolicy (Calico/Cilium), not all do.
- DNS fails inside pods: check CoreDNS pods are Running in kube-system.
Extension Ideas
- Add TLS to the Ingress with cert-manager.
- Move to eBPF policy in the Zero-Trust Hybrid Cloud lab.
- Deploy this on managed Kubernetes in AKS.
Key Results
- Exposed an app externally through an Ingress controller.
- Enforced default-deny pod traffic with explicit allow rules.
- Verified both external reachability and internal segmentation.
- Applied a zero-trust posture inside the cluster.