⌂ Home

Services Deep Dive

Interactive guide to selectors, stable service identities, endpoint membership, and NodePort / LoadBalancer exposure.

Services solve the problem of ephemeral Pod IPs by giving clients a stable network abstraction over a changing set of Pods.

Core Model

Understand the Concept First

Stable IP and DNS

Clients use a stable Service identity instead of talking directly to Pod IPs.

Selector-based membership

Labels and selectors determine which Pods sit behind the Service.

Port mapping

Service port, targetPort, and optional nodePort each have different roles.

Visual Architecture

Interactive Service Networking Diagrams

Service Discovery Flow via DNS Client Pod frontend-app 10.244.1.5 DNS Query backend-service 1. Query CoreDNS DNS Server kube-system Resolves service names 2. Returns Service backend-service ClusterIP: 10.96.0.50 3. Lookup Endpoints backend-service 10.244.1.10:8080 10.244.2.15:8080 4. Route to Pods Backend Pod 1 Backend Pod 2 DNS Resolution Details FQDN Format: <service-name>.<namespace>.svc.cluster.local Examples: backend-service (same namespace) backend-service.production (cross-namespace) backend-service.production.svc.cluster.local (full FQDN) Selector → Endpoint → Pod Relationship Service my-backend-service Selector app: backend version: v1 watches Endpoint Controller Automatically maintains Endpoints creates Endpoints my-backend-service Ready Addresses 10.244.1.10:8080 (Pod 1) 10.244.2.15:8080 (Pod 2) selects All Pods in Namespace Matching Pods (In Service) Pod 1 IP: 10.244.1.10 Labels: app: backend version: v1 ✓ MATCHES Pod 2 IP: 10.244.2.15 Labels: app: backend version: v1 ✓ MATCHES Non-Matching Pods (Excluded) Pod 3 IP: 10.244.1.20 Labels: app: frontend version: v1 ✗ NO MATCH Pod 4 IP: 10.244.2.22 Labels: app: backend version: v2 ✗ NO MATCH iptables Rules Generation and Traffic Flow kube-proxy Watches Services and Endpoints (on each node) Programs iptables Rules (NAT and load balancing) KUBE-SERVICES → KUBE-SVC-XXX DNAT 10.96.0.50:8080 → 50% 10.244.1.10:8080 50% 10.244.2.15:8080 Traffic Flow Example Client Pod frontend Request 10.96.0.50:8080 1. Intercept iptables NAT Rewrites destination FROM: 10.96.0.50:8080 TO (random): 10.244.1.10:8080 2. Forward or alternate Pod Backend Pod 1 10.244.1.10 Backend Pod 2 10.244.2.15 Key Point: Service ClusterIP is virtual - iptables rewrites packets to actual Pod IPs
Hover over components for detailed information. These diagrams show how Kubernetes services enable discovery, endpoint tracking, and traffic routing.
Lifecycle Flow

Service Routing Flow

1

Pods get labels

Backends are labeled so the Service can discover them.

2

Service selector matches

The Service identifies which Pods belong to it.

3

Endpoints are built

Kubernetes maintains the active backend endpoint list.

4

Traffic enters Service

Clients use ClusterIP, NodePort, or LoadBalancer exposure.

5

Requests reach Pods

Traffic is distributed across the matching backend Pods.

Labels are the real control surface. If the selector does not match, the Service has no effective backends.
YAML and Commands

Examples You Can Recognize Quickly

NodePort Service Example
kind: Service
spec:
  selector:
    mycka: k8slearning
  ports:
  - port: 8081
    targetPort: 80
  type: NodePort
Useful Commands
kubectl get service myservice
kubectl describe service myservice
kubectl get endpoints
Decision Guide

Service Types

Type Main use Scope
ClusterIP Internal service access Inside the cluster
NodePort Expose through node ports Lab, dev, simple external access
LoadBalancer Cloud-integrated external access Production-style external exposure
ExternalName DNS alias to an external name Integration with external services
The Service abstraction stays the same; the exposure model is what changes across Service types.
Use It Well

Practice and Real-World Thinking

Internal app communication

Use ClusterIP Services and DNS names between in-cluster workloads.

Lab access patterns

Use NodePort when learning or testing external access.

Selector troubleshooting

When traffic fails, always confirm the Service selector and endpoint membership first.