Networking Deep Dive

Kubernetes Intermediate/Advanced

Chapter 5 · Networking Deep Dive

Chapter 4 covered who can call the Kubernetes API. This chapter covers a different layer entirely: network-level traffic control within the cluster, going deeper than k8s1-6's basic Services material.

CNI — The Container Network Interface

Kubernetes itself doesn't implement pod networking directly — it delegates this to a CNI (Container Network Interface) plugin, a pluggable standard interface, much like Chapter 1's own CRI/containerd pluggability point. Popular implementations: Calico, Cilium, Flannel — each with different capabilities and performance characteristics. Worth knowing directly: some CNI plugins also implement Network Policies (below), while simpler ones (basic Flannel, for instance) don't — genuinely practical to know when troubleshooting later, since "why doesn't my NetworkPolicy do anything" can sometimes simply mean the CNI plugin in use doesn't support it at all.

The Default — Flat, Unrestricted Pod Networking

An important baseline fact: by default, every pod in a Kubernetes cluster can communicate with every other pod, across any namespace, with no restrictions at all. Genuinely surprising coming from a more locked-down mental model. This flat networking model is exactly what makes Chapter 6's Services/DNS work simply — but it also means a compromised pod can, by default, reach anything else in the cluster, a real security consideration worth naming directly.

Network Policies — Restricting Pod-to-Pod Traffic

A NetworkPolicy defines allow rules for traffic to/from pods matching a label selector (Chapter 5, Course 1's own label mechanism, reused again). By default, with no NetworkPolicy at all, everything is allowed.

Deny-by-default, but only once selected
The instant any NetworkPolicy selects a given pod, that pod's traffic switches to deny-by-default, except for what's explicitly allowed — a genuinely important, easy-to-get-wrong-the-first-time behavior. Applying policies incrementally means thinking carefully about exactly what each newly-selected pod actually needs allowed.

A Concrete NetworkPolicy Example

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: db-allow-backend-only namespace: shop-app spec: podSelector: matchLabels: app: db policyTypes: [Ingress] ingress: - from: - podSelector: matchLabels: app: backend

Restricting k8s1-12's own capstone database to accept traffic only from pods labeled app: backend — closing a real security gap the capstone's own architecture left implicitly open, despite Chapter 6's Service already existing. This is genuinely the Kubernetes-internal equivalent of cloud1-5's own private-subnet analogy — defense in depth at the pod level, rather than the VPC/subnet level.

Service Meshes — A Brief Overview

Foreshadowed since Chapter 3, Course 1's own sidecar material: a service mesh — Istio and Linkerd being the most common — adds a layer of infrastructure specifically for managing service-to-service communication, typically implemented via a sidecar proxy (Chapter 3's own pattern, now with a concrete real use case) injected into every pod, intercepting all network traffic. What it adds beyond NetworkPolicies:

  • Automatic mutual TLS (mTLS) between services (crypto1's own TLS/certificate material).
  • Fine-grained traffic routing and canary deployments.
  • Detailed per-service traffic metrics and observability (k8s2-7's upcoming chapter builds on this).
  • Retry and circuit-breaking logic.

Genuinely powerful — and genuinely adding real operational complexity.

When You Need a Service Mesh vs. When NetworkPolicies Are Enough

Honest framing matching this course's own recurring convention (k8s1-1, k8s1-8): most clusters, even production ones, genuinely don't need a full service mesh. NetworkPolicies alone solve basic traffic restriction. A service mesh earns its complexity specifically at real microservices scale, when mTLS, fine-grained routing, or detailed per-service metrics become genuinely necessary — not adopted just because the name is well known.

Forgetting DNS in a NetworkPolicy is a real, confusing trap
Applying a NetworkPolicy that selects pods but forgetting an explicit rule allowing DNS traffic (typically to kube-system, port 53) can break that pod's ability to resolve any DNS name at all — including Chapter 6's own Service names. A genuinely common, confusing troubleshooting scenario, since the symptom (broken DNS resolution) looks nothing like "a networking policy problem" at first glance.

Hands-On Exercises

Exercise 1

Explain the default pod networking behavior in Kubernetes before any NetworkPolicy is applied, and explain precisely what changes the moment a NetworkPolicy selects a given pod.

📄 View solution
Exercise 2

Explain what a CNI plugin is responsible for, and why "my NetworkPolicy isn't working" can sometimes have nothing to do with the policy YAML itself being wrong.

📄 View solution
Exercise 3

A team applies a NetworkPolicy to their backend pods allowing only traffic from their frontend pods. Afterward, the backend pods can no longer resolve any Service DNS names at all, even though the policy only mentions frontend traffic. Explain what's likely missing from their NetworkPolicy and why.

📄 View solution

Chapter 5 Quick Reference

  • CNI — a pluggable interface Kubernetes delegates pod networking to; not all CNI plugins support NetworkPolicies
  • Default pod networking is flat and unrestricted — any pod can reach any other pod, cluster-wide, until a NetworkPolicy says otherwise
  • The moment a NetworkPolicy selects a pod, that pod becomes deny-by-default except for explicitly allowed traffic
  • NetworkPolicies are the pod-level equivalent of cloud1-5's private-subnet pattern — defense in depth
  • Service mesh (Istio/Linkerd) — sidecar-based mTLS, fine-grained routing, and observability, genuinely powerful but adds real complexity
  • Most clusters don't need a full mesh — NetworkPolicies alone are enough until real microservices-scale needs emerge
  • Forgetting an explicit DNS-allow rule in a NetworkPolicy silently breaks all Service name resolution — a real, confusing trap
  • Next chapter: Autoscaling — Horizontal Pod Autoscaler, Vertical Pod Autoscaler, Cluster Autoscaler