Chapter Four

Networking

The flat network model every cluster guarantees, how DNS turns Service names into addresses, the CNI plugins that implement it, NetworkPolicies, and what a service mesh adds.

5 topics

Kubernetes networking is governed by one promise: every Pod gets its own IP and can reach every other Pod without NAT. That flat model is simple to state and non-trivial to implement.

This chapter explains the model, how cluster DNS turns Service names into addresses, the CNI plugins that actually wire the network, the NetworkPolicies that segment it, and the extra capabilities — mTLS, traffic shaping, observability — that a service mesh layers on top.

Topics in This Chapter

The Network Model

The four rules every cluster network must satisfy, and why the flat Pod network is the foundation everything else builds on.

NetworkingModel

Cluster DNS and Service Discovery

CoreDNS and the naming scheme that lets Pods find Services by name. Headless Services, search domains, and resolution gotchas.

CNI and Network Plugins

The interface that wires Pod networking, and the plugins that implement it — Calico, Cilium, and others. Overlay versus native routing.

PluginsNetworking

Network Policies

Firewall rules for Pod traffic, expressed by label selector. Default-allow versus default-deny, and why a policy needs a plugin that enforces it.

SecuritySegmentation

What a mesh adds beyond core networking — mTLS, retries, traffic splitting, observability — and the sidecar-versus-ambient cost trade-off.