# ClusterIP Service (internal only)
apiVersion: v1
kind: Service
metadata:
name: web-app
namespace: production
labels:
app: web-app
spec:
type: ClusterIP
selector:
app: web-app
ports:
- name: http
port: 80
targetPort: 3000
protocol: TCP
---
# NodePort Service (external via node ports)
apiVersion: v1
kind: Service
metadata:
name: web-app-nodeport
namespace: production
spec:
type: NodePort
selector:
app: web-app
ports:
- port: 80
targetPort: 3000
nodePort: 30080
---
# LoadBalancer Service (cloud LB)
apiVersion: v1
kind: Service
metadata:
name: web-app-lb
namespace: production
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
spec:
type: LoadBalancer
selector:
app: web-app
ports:
- port: 443
targetPort: 3000
protocol: TCP
---
# Headless Service (for StatefulSets / direct pod DNS)
apiVersion: v1
kind: Service
metadata:
name: db-headless
namespace: production
spec:
clusterIP: None
selector:
app: database
ports:
- port: 5432
targetPort: 5432
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-app-ingress
namespace: production
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/rate-limit: "100"
nginx.ingress.kubernetes.io/proxy-body-size: "10m"
nginx.ingress.kubernetes.io/enable-cors: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
ingressClassName: nginx
tls:
- hosts:
- app.example.com
- api.example.com
secretName: app-tls-secret
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-app
port:
number: 80
- host: api.example.com
http:
paths:
- path: /v1
pathType: Prefix
backend:
service:
name: api-v1
port:
number: 80
- path: /v2
pathType: Prefix
backend:
service:
name: api-v2
port:
number: 80
---
# NetworkPolicy - restrict traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: web-app-netpol
namespace: production
spec:
podSelector:
matchLabels:
app: web-app
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
ports:
- protocol: TCP
port: 3000
egress:
- to:
- podSelector:
matchLabels:
app: database
ports:
- protocol: TCP
port: 5432
- to:
- podSelector:
matchLabels:
app: redis
ports:
- protocol: TCP
port: 6379
- to: # Allow DNS
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
Kubernetes Services provide stable networking for ephemeral Pods. A ClusterIP service exposes Pods internally within the cluster. NodePort opens a static port on every node for external access. LoadBalancer provisions a cloud load balancer. Services use selector labels to discover target Pods. The targetPort maps to the container port, while port is the service port. Ingress resources route external HTTP/HTTPS traffic to services based on host and path rules. Ingress controllers like nginx-ingress or traefik implement the routing. TLS termination uses secretName referencing a TLS certificate Secret. Path-based routing directs different URLs to different services. Annotations configure controller-specific behavior like rate limiting and CORS.
