🌐 DOMAIN 2 · SERVICES & NETWORKING

Services & Networking

Service types, NetworkPolicies, CoreDNS, Ingress, Gateway API — everything traffic-related on the exam.

⚖️ 20% Exam Weight

14 Labs · ~10 hours

0 / 14 Complete

🆕 Gateway API New 2025

Domain Progress0 / 14 labs

Service Types

ClusterIP, NodePort, LoadBalancer, ExternalName

⏸ Pending 35 min ▾

Objectives

Create each service type imperatively and declaratively
Expose a Deployment using kubectl expose
Understand port, targetPort, and nodePort field differences
Test connectivity to each service type from within the cluster

Key Commands


# Expose deployment as ClusterIP
kubectl expose deployment rx-api --port=80 --target-port=8080# Expose as NodePort
kubectl expose deployment rx-api --type=NodePort --port=80# Test from within cluster
kubectl run test --image=busybox --rm -it --restart=Never -- wget -qO- rx-api

⚡ Exam Tip

The exam often asks you to expose a deployment on a specific port. Use kubectl expose first — it’s faster than writing a Service YAML. Use --dry-run=client -o yaml if you need to add fields.

Service Discovery

DNS-based discovery, environment variables, FQDN patterns

⏸ Pending 40 min ▾

Objectives

Resolve a service by short name, FQDN, and cross-namespace FQDN
Understand the DNS pattern: svc.namespace.svc.cluster.local
Identify when environment variable injection is used vs DNS

Key Commands


# DNS FQDN pattern
<service>.<namespace>.svc.cluster.local# Test DNS resolution from a pod
kubectl exec -it <pod> -- nslookup rx-api.rx-dev.svc.cluster.local
kubectl exec -it <pod> -- curl http://rx-api.rx-dev/health

Ingress & Gateway API

Ingress Basics

Ingress resources, controllers, host/path routing, TLS

⏸ Pending 45 min ▾

Objectives

Install nginx Ingress Controller and verify it’s running
Create an Ingress resource routing two paths to two services
Add TLS to the Ingress using a Secret
Debug Ingress issues with events and controller logs

Key Commands


# Create ingress imperatively
kubectl create ingress rx-ingress \
--rule="rx.company.com/api*=rx-api:80" \
--rule="rx.company.com/ui*=rx-ui:3000"# Check ingress status
kubectl describe ingress rx-ingress

Gateway API ⭐ NEW

HTTPRoute, Gateway, GatewayClass — the Ingress successor

⏸ Pending 60 min ▾

Objectives

Install the Gateway API CRDs and a compatible controller
Create a GatewayClass and a Gateway resource
Define an HTTPRoute to direct traffic to backend services
Understand how Gateway API improves on Ingress (role separation, expressiveness)

⚡ Exam Tip

Gateway API is brand new to the CKA in 2025. Expect at least one task. Focus on the three core objects: GatewayClass → Gateway → HTTPRoute. Think of them as the class definition, the instance, and the routing rules.

Network Policies

Ingress/egress rules, pod/namespace selectors, deny-all

⏸ Pending 50 min ▾

Objectives

Create a default-deny-all policy for a namespace
Allow traffic only from specific pods using podSelector
Allow cross-namespace traffic using namespaceSelector
Restrict egress to specific ports and IP ranges

Key Commands


# Default deny-all ingress (safety baseline)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: {name: default-deny, namespace: rx-prod}
spec:
  podSelector: {}    # matches ALL pods
  policyTypes: [Ingress]

⚡ Exam Tip

NetworkPolicy is high-frequency on the exam. The most common mistake: forgetting that policies are additive — multiple policies combine with OR logic. An empty podSelector: {} matches ALL pods in the namespace.

Network Policies Advanced

Combined ingress+egress, CIDR blocks, multi-policy scenarios

⏸ Pending 55 min ▾

Objectives

Write a policy allowing both ingress and egress with different selectors
Use CIDR ranges to allow external IP access
Chain multiple policies and reason about the combined effect
Debug NetworkPolicy with kubectl exec connectivity tests

DNS

CoreDNS Configuration

Corefile, custom stubs, rewriting, forward zones

⏸ Pending 40 min ▾

Objectives

Locate and inspect the CoreDNS ConfigMap
Add a custom stub zone for an internal domain
Scale CoreDNS replicas and verify DNS still resolves
Understand what the kubernetes plugin does in the Corefile

Key Commands


# Inspect CoreDNS config
kubectl get configmap coredns -n kube-system -o yaml# Check CoreDNS pods
kubectl get pods -n kube-system -l k8s-app=kube-dns# Test DNS from a pod
kubectl run dnstest --image=busybox --rm -it --restart=Never -- nslookup kubernetes

DNS Troubleshooting

Resolution failures, CoreDNS crashes, ndots, search domains

⏸ Pending 45 min ▾

Objectives

Diagnose DNS resolution failures with nslookup and dig from pods
Identify CoreDNS crashes and fix misconfigured Corefiles
Understand ndots setting and how it affects resolution order
Fix a broken DNS chain end-to-end

Pod Networking & Advanced Services

Pod Networking

Pod CIDR, overlay networks, veth pairs, IP routing

⏸ Pending 50 min ▾

Objectives

Understand how pods get IP addresses from the pod CIDR
Trace a packet from pod to pod across nodes
Inspect network interfaces inside a pod with ip addr and ip route

Service Mesh Basics

Sidecar pattern, mTLS concepts, observability

⏸ Pending 45 min ▾

Objectives

Understand the sidecar proxy pattern and why it’s used
Install a minimal service mesh (Istio or Linkerd) and enable injection
Verify mTLS between two pods using mesh telemetry

LoadBalancer Services

Cloud LB integration, MetalLB on bare metal, external IPs

⏸ Pending 40 min ▾

Objectives

Create a LoadBalancer service and observe external IP assignment
Use MetalLB on kubeadm to simulate cloud LB behaviour
Understand why LoadBalancer stays in Pending on bare metal without a controller

NodePort Services

Port ranges, iptables rules, kube-proxy modes

⏸ Pending 35 min ▾

Objectives

Create a NodePort service with a specific port in the 30000-32767 range
Access the service via node IP and nodePort from outside the cluster
Understand kube-proxy’s role in NodePort routing

Headless Services

StatefulSet DNS, direct pod addressing, no ClusterIP

⏸ Pending 40 min ▾

Objectives

Create a headless service (clusterIP: None) for a StatefulSet
Resolve individual pod DNS names: pod-0.svc.namespace.svc.cluster.local
Understand when headless services are required vs regular ClusterIP

Network Troubleshooting

Connectivity failures, kube-proxy, iptables, DNS chains

⏸ Pending 50 min ▾

Objectives

Systematically debug a pod that can’t reach a service
Use kubectl exec with curl/wget/nc to test connectivity at each layer
Check kube-proxy logs and iptables rules for service routing
Identify CNI plugin failures as a root cause of network issues

Key Commands


# Debug connectivity systematically
kubectl exec -it <pod> -- curl -v http://<svc>:<port>
kubectl exec -it <pod> -- nslookup <svc>
kubectl exec -it <pod> -- nc -zv <svc> <port># kube-proxy logs
kubectl logs -n kube-system -l k8s-app=kube-proxy