BestHub
Sign in
Cloud Native 9 min read

Mastering Kubernetes Services and Ingress: From ClusterIP to TLS

This article explains how Kubernetes Service and Ingress resources work as layer‑4 and layer‑7 schedulers, covering Service types, kube‑proxy modes, YAML definitions, and TLS‑enabled Ingress configuration with practical command‑line examples.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Mastering Kubernetes Services and Ingress: From ClusterIP to TLS

Service resources provide a stable access point for dynamically managed Pods.

Service as a Layer‑4 Scheduler

The Service uses label selectors to bind to Pods that carry matching labels. Clients send requests to the Service, not directly to Pods. When a Service changes, the kube‑proxy controller updates local iptables or IPVS rules. kube‑proxy runs as a DaemonSet on every node; loading the IPVS kernel module is required for IPVS mode.

In iptables mode, kube‑proxy creates rules that capture traffic destined for the Service's ClusterIP and port, redirecting it to the backend Pods. In IPVS mode, kube‑proxy watches Service and Endpoint objects via the API server, creates IPVS rules through the netlink interface, and delegates non‑routing tasks to iptables.

Service Resource Definition

apiVersion: v1
kind: Service
metadata:
  name: myapp
  namespace: prod
spec:
  ports:
  - name: http
    port: 80
    targetPort: 80
    nodePort: 30080
  selector:
    app: myapp
    rel: stable
  type: NodePort

Accessing the Service IP automatically routes traffic to Pods matching the selector, even as Pods are added or removed.

Example commands:

# kubectl get svc
# kubectl get svc -n prod
# curl 10.105.226.215

Service Types

ClusterIP : Assigns an internal IP reachable only within the cluster; no source NAT is performed.

NodePort : Opens a port on each node that maps to the Service IP and port.

Endpoints can be created manually to point to external IPs when the name matches the Service.

# kubectl edit cm kube-proxy -n kube-system
# kubectl delete pod -l k8s-app=kube-proxy,pod-template-generation=1 -n kube-system

Ingress Resource – Layer‑7 Proxy & Scheduler

Ingress is a standard API object that manages external HTTP traffic to internal services. It defines host‑based routing rules that are translated into configuration for an ingress controller (e.g., nginx‑ingress).

# kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml

Ingress controller Service definition:

apiVersion: v1
kind: Service
metadata:
  name: ingress
  namespace: ingress-nginx
spec:
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  ports:
  - name: http
    port: 80
  - name: https
    port: 443
  type: NodePort

Deploy a backend Deployment and Service, then create an Ingress that routes to it:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp
  namespace: myns
spec:
  replicas: 2
  selector:
    matchLabels:
      app: myapp
      rel: beta
  template:
    metadata:
      labels:
        app: myapp
        rel: beta
    spec:
      containers:
      - name: myapp
        image: ikubernetes/myapp:v1
---
apiVersion: v1
kind: Service
metadata:
  name: myapp
  namespace: myns
spec:
  selector:
    app: myapp
    rel: beta
  ports:
  - name: http
    port: 80
    targetPort: 80
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: myapp
  namespace: myns
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: www.node1.com
    http:
      paths:
      - path: /
        backend:
          serviceName: myapp
          servicePort: 80

For TLS termination, generate a self‑signed certificate and reference it in the Ingress:

openssl genrsa -out myapp.key 2048
openssl req -new -x509 -key myapp.key -out myapp.crt -subj "/C=CN/ST=Beijing/L=Beijing/O=ops/CN=www.node.com" -days 365
# kubectl create secret tls ilinux-cert -n myns --cert=myapp.crt --key=myapp.key
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tls-ingress
  namespace: myns
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - www.node.com
    secretName: ilinux-cert
  rules:
  - host: www.node1.com
    http:
      paths:
      - path: /
        backend:
          serviceName: myapp
          servicePort: 80

After applying, the Ingress controller picks up the configuration and serves the backend over HTTP or HTTPS.

# kubectl exec -it nginx-ingress-controller-568867bf56-lrm4f -n ingress-nginx -- /bin/sh
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

KubernetesDevOpsNetworkingServiceIngress
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment