Trisul's Blog

Network & Cloud Engineering Insights

Kubernetes Networking Deep Dive: CNI, Service Mesh, and Ingress

Written by Trisul ·

Kubernetes networking can seem complex, but understanding the core concepts of CNI plugins, services, ingress controllers, and service mesh will help you build robust, scalable applications. This guide covers everything from pod-to-pod communication to advanced traffic management patterns.

Kubernetes Network Model

  • Pod Network: Each pod gets its own IP address
  • Service Network: Stable endpoints for pod groups
  • Ingress: External access to services
  • Network Policies: Traffic filtering and security

Step 1: Understanding CNI Plugins

# Popular CNI plugins
- Calico: Network policies and BGP routing
- Flannel: Simple overlay networking
- Weave: Mesh networking with encryption
- Cilium: eBPF-based networking and security

# Check current CNI
kubectl get pods -n kube-system | grep -E "calico|flannel|weave|cilium"

Step 2: Service Types and Load Balancing

# ClusterIP Service (internal only)
apiVersion: v1
kind: Service
metadata:
  name: backend-service
spec:
  selector:
    app: backend
  ports:
    - port: 80
      targetPort: 8080
  type: ClusterIP

# LoadBalancer Service (external access)
apiVersion: v1
kind: Service
metadata:
  name: frontend-service
spec:
  selector:
    app: frontend
  ports:
    - port: 80
      targetPort: 3000
  type: LoadBalancer

Step 3: Ingress Controller Setup

# Install NGINX Ingress Controller
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml

# Verify installation
kubectl get pods -n ingress-nginx
kubectl get svc -n ingress-nginx

Step 4: Configure Ingress Rules

# Ingress with SSL termination
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-ingress
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
  tls:
  - hosts:
    - app.example.com
    secretName: app-tls
  rules:
  - host: app.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: frontend-service
            port:
              number: 80
      - path: /api
        pathType: Prefix
        backend:
          service:
            name: backend-service
            port:
              number: 80

Step 5: Network Policies for Security

# Deny all ingress traffic by default
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress

# Allow specific traffic between tiers
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend-netpol
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 8080

Step 6: Service Mesh with Istio

# Install Istio
curl -L https://istio.io/downloadIstio | sh -
cd istio-*
export PATH=$PWD/bin:$PATH
istioctl install --set values.defaultRevision=default

# Enable sidecar injection
kubectl label namespace default istio-injection=enabled

# Traffic management with VirtualService
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: backend-vs
spec:
  http:
  - match:
    - headers:
        version:
          exact: v2
    route:
    - destination:
        host: backend-service
        subset: v2
  - route:
    - destination:
        host: backend-service
        subset: v1
      weight: 90
    - destination:
        host: backend-service
        subset: v2
      weight: 10

Monitoring and Troubleshooting

# Check pod connectivity
kubectl exec -it pod-name -- nslookup service-name

# Monitor network traffic
kubectl logs -f deployment/ingress-nginx-controller -n ingress-nginx

# Debug DNS resolution
kubectl run -it --rm debug --image=busybox --restart=Never -- nslookup kubernetes.default

# Check network policies
kubectl describe networkpolicy policy-name

Best Practices

  • Use network policies to implement zero-trust networking
  • Monitor network performance with tools like Prometheus
  • Implement proper service mesh observability
  • Use ingress controllers for SSL termination
  • Plan IP address ranges to avoid conflicts

Conclusion

Kubernetes networking provides powerful primitives for building scalable, secure applications. By understanding CNI, services, ingress, and service mesh concepts, you can design networks that meet enterprise requirements for performance, security, and observability.

Need help with your Kubernetes networking architecture? Let's connect!