Files
awesome-kubernetes/v2-docs/kubernetes-networking.md

59 KiB
Raw Blame History

Kubernetes Networking

!!! info "Architectural Context" Detailed reference for Kubernetes Networking in the context of Networking & Service Mesh.

Standard Reference

Cloud Infrastructure

Kubernetes

Networking

  • cilium.io [ADVANCED LEVEL] [DE FACTO STANDARD] — An eBPF-powered open-source project that provides high-performance, secure, and observable networking, load balancing, and network security for Kubernetes workloads. Cilium is widely adopted by enterprise platforms due to its scale capabilities and granular L3-L7 policy controls.

Cloud Native

Networking (1)

Kubernetes (1)

Ingress Controllers

Cloud Native Infrastructure

Networking (2)

Egress Traffic Control

Case Studies
  • Controlling outbound traffic from Kubernetes [ADVANCED LEVEL] [CASE STUDY] [CASE STUDY] [ENTERPRISE-STABLE] — A highly regarded engineering case study by Monzo bank detailing how they designed and operated egress gateways to control and audit outbound traffic. Explains compliance benefits, custom proxy layers, and high-availability engineering patterns.

Cloud Native Security

Network Security

Network Policies

Networking (3)

CNI

Calico

  • (2020) thenewstack.io: Tigera's Calico Aims to Ease Connectivity Pain with Kubernetes [GO CONTENT] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] — Covers Tigera Calico's core value proposition of delivering flexible, secure CNI capabilities for Kubernetes environments. It contrasts Calico's IP-in-IP and BGP routing modes with standard encapsulation overlays, providing optimal performance. Integrates advanced security policy engines capable of running in both Kubernetes and hybrid virtualized clusters.

Flannel

  • (2025) ==Flannel== 9454 [GO CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — Flannel is a highly stable, lightweight Layer 3 network fabric designed specifically for Kubernetes. It runs a simple agent on each host to allocate subnet leases, supporting backends like VXLAN, host-gw, and UDP. While lacking advanced L7 policy capabilities, its extreme simplicity makes it a favorite for bootstrapping lightweight development and bare-metal environments.

DNS

Monitoring

  • (2021) sysdig.com: How to monitor coreDNS 🌟 [GO CONTENT] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] — Illustrates methods for monitoring CoreDNS performance within Kubernetes clusters using Prometheus metrics. Focuses on critical golden signals like request rate, latency, packet dropouts, and cache hit/miss ratios. Essential for preventing cluster-wide DNS exhaustion bottlenecks which can degrade microservice lookup times.

IPAM

Automated Workflows

  • (2023) fusionlayer.com: Software-Defined IP Address Management (IPAM) [NONE CONTENT] [ADVANCED LEVEL] [DOCUMENTATION] 🌟🌟🌟 [LEGACY] — FusionLayer Infinity provides centralized Software-Defined IP Address Management (IPAM) tailored for modern cloud networks and multi-orchestrator environments. It automates network and IP provisioning across distributed container infrastructures and edge data centers. This mitigates IP exhaustion and overlapping CIDR conflicts while bridging legacy networks with automated Kubernetes workloads.

Ingress

Comparison

  • (2021) blog.palark.com: Comparing Ingress controllers for Kubernetes [NONE CONTENT] 🌟🌟🌟 [COMMUNITY-TOOL] — A comprehensive comparative matrix of popular Kubernetes ingress controllers, including NGINX, Traefik, HAProxy, Contour, and Envoy-based proxies. It benchmarks them against metrics like protocol support (gRPC, HTTP/2, WebSockets), security, dynamic updates, and ease of deployment. Ideal for system architects choosing an ingress gateway for custom runtime workloads.

Envoy

  • (2023) getenroute.io: Drive API Security At Kubernetes Ingress Using Helm And Envoy 🌟 [GO CONTENT] [ADVANCED LEVEL] [DOCUMENTATION] 🌟🌟🌟 [COMMUNITY-TOOL] — Explores Enroute, an Envoy-based API gateway and ingress controller for Kubernetes. Detail includes securing APIs at the edge using Helm charts to deploy and configure rate-limiting, JWT authentication, and CORS policies. It provides a lightweight, performant alternative to heavy API management gateways by coupling Envoy's speed with Kubernetes-native CRDs.

Fundamentals

  • (2022) searchitoperations.techtarget.com: Differences between Kubernetes Ingress vs. load balancer [NONE CONTENT] 🌟🌟 [COMMUNITY-TOOL] — Clarifies the architectural differences between raw Kubernetes LoadBalancer services and Ingress resources. It outlines the cost and operational trade-offs of using external cloud-provider load balancers versus consolidated application-layer routing inside the cluster. Crucial for infrastructure planners looking to optimize both cloud spend and traffic routing strategies.

HAProxy

  • (2021) devclass.com: HAProxy Ingress Controller 1.5 introduces mTLS support, gives load balancing experts more power [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟 [COMMUNITY-TOOL] — Covers the release of HAProxy Ingress Controller 1.5, focusing on enterprise-grade mTLS implementation for zero-trust traffic control. It explores advanced routing capabilities, client certificate verification, and low-level performance tuning options designed for high-throughput load balancing. This update bridges the gap between traditional edge proxying and cloud-native ingress management.

NGINX

  • (2022) loft.sh: Kubernetes NGINX Ingress: 10 Useful Configuration Options 🌟 [YAML CONTENT] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] — Provides 10 practical configurations for optimizing the ubiquitous NGINX Ingress Controller. It details custom annotations for rate-limiting, body-size limits, SSL redirection, CORS, and header manipulation. This technical guide serves as a quick reference for hardening and scaling web traffic paths into Kubernetes clusters.

OpenShift

  • (2020) openshift.com: gRPC or HTTP/2 Ingress Connectivity in OpenShift 🌟 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] — Focuses on establishing end-to-end gRPC and HTTP/2 transport over Red Hat OpenShift Ingress and HAProxy routers. It details the TLS termination strategies and ALPN negotiations required to maintain streaming connections. Essential for high-performance microservice communication within OpenShift SDN and OVN-Kubernetes topologies.

Traefik

  • (2020) containo.us: Kubernetes Ingress & Service API Demystified [GO CONTENT] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] [LEGACY] — Evaluates the core architecture of Kubernetes Ingress resources and Service APIs, illustrating how they interact with reverse proxies. It highlights Traefik's implementation of ingress specifications, demystifying route matching, load balancing, and dynamic configuration discovery. Offers deep structural comparison between legacy Ingress and modern patterns.

Ingress Controllers (1)

Comparison (1)

  • Learnk8s: Comparison of Kubernetes Ingress controllers 🌟 [ADVANCED LEVEL] [DE FACTO STANDARD] — An industry-standard comparison spreadsheet analyzing over a dozen Kubernetes Ingress controllers. Details performance, dynamic reloading capabilities, routing protocols, and native TLS/WAF integrations.

Load Balancing

Multi-Cluster

  • (2021) cloud.redhat.com: Global Load Balancer Approaches 🌟 [NONE CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] — Compares various global load balancing (GSLB) architectures for multi-cluster and multi-region Kubernetes deployments. The analysis highlights DNS-based routing, Anycast IP routing, and hybrid CDN-integrated load balancers. Addresses disaster recovery, latency-based routing, and failover topologies necessary for highly resilient cloud-native systems.

Security

Cilium Network Policy

  • (2024) ==editor.cilium.io 🌟== [TYPESCRIPT CONTENT] [DOCUMENTATION] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — A visual designer created by Cilium to simplify the drafting of complex Kubernetes and Cilium-specific NetworkPolicies. It translates service dependencies into valid Kubernetes YAML rules, helping developers minimize security gaps. Highly recommended for multi-tier microservice infrastructures requiring visual validation before CI/CD deployment.

Namespace Isolation

  • (2022) loft.sh: Kubernetes Network Policies for Isolating Namespaces 🌟 [YAML CONTENT] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] — Focuses exclusively on namespace-level isolation techniques using declarative Network Policies. It shows how to enforce strict multi-tenancy boundaries in shared staging or production clusters, preventing unauthorized inter-namespace discovery and communication. Highlights optimal configuration patterns to ensure strict compliance.

Network Policies (1)

  • (2022) loft.sh: Kubernetes Network Policies: A Practitioner's Guide 🌟 [YAML CONTENT] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] — A comprehensive practical guide covering the execution and isolation mechanics of Kubernetes Network Policies. Step-by-step instructions detail how default-deny structures work, how selector matching functions, and how to test rules in staging. Empowers operators to block lateral movement of attackers within microservice deployments.

OpenShift (1)

  • (2020) openshift.com: Network Policies: Controlling Cross-Project Communication on OpenShift [YAML CONTENT] 🌟🌟🌟 [COMMUNITY-TOOL] — Demonstrates how to write and apply Network Policies to control namespace and cross-project isolation in Red Hat OpenShift. It covers ingress/egress restriction, labels, and integration with OpenShift SDN multi-tenant plugins. Protects multi-tenant workloads by applying rigid segmentation rules at the container network interface layer.

Packet Management

  • (2023) otterize.com: Mastering Kubernetes networking: A journey in cloud-native packet management [GO CONTENT] 🌟🌟🌟 [COMMUNITY-TOOL] — Explores deep-packet cloud-native networking with an emphasis on intent-based access controls and service-to-service communication. Discusses how modern Kubernetes clusters secure network pathways through dynamic declarative policies. Offers structural insight into how packet-level visibility helps identify data leakage and configuration drift.

Service Mesh

Linkerd

  • (2023) buoyant.io: Kubernetes network policies with Cilium and Linkerd [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] — Highlights the cooperative synergy of deploying the Linkerd service mesh alongside Cilium's eBPF-based CNI. It details how to leverage Cilium for Layer 3/4 packet filtration and Linkerd for Layer 7 mTLS identity validation. This dual-layered framework provides maximum defense-in-depth security with minimal networking latency overhead.

Services

Fundamentals (1)

  • (2021) sysdig.com: Kubernetes Services: ClusterIP, Nodeport and LoadBalancer [YAML CONTENT] 🌟🌟🌟 [COMMUNITY-TOOL] — Demystifies core Kubernetes service types: ClusterIP, NodePort, and LoadBalancer. It demonstrates how kube-proxy manipulates iptables or IPVS configurations to achieve internal service discovery and round-robin load balancing. Helps operators grasp how traffic finds containerized workloads from both inside and outside the IP address space.

Traffic Flow

Troubleshooting

  • (2023) ==learnk8s.io: Tracing the path of network traffic in Kubernetes 🌟== [NONE CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — Offers an exceptional, granular breakdown of how network packets flow through a Kubernetes cluster. From physical network interfaces to IPVS/iptables rules and CNI-driven packet encapsulation (overlay vs. underlay), this visual guide untangles pod-to-pod and external traffic paths. Highly valuable for deep debugging of cluster network failures.

Observability

Cost Optimization

Data Storage

  • (2023) instana.com: The Hidden Cost of Observability: Data Volume [EN CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Analyzes the economic and architectural implications of high-cardinality and high-volume observability data. Provides strategies for dynamic rate limiting, smart sampling, and metric deduplication to prevent telemetry storage costs from scaling linearly with microservices growth.

💡 Explore Related: Cloudflare | Servicemesh | Networking